CVE-2025-37849 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) implementation for the ARM64 architecture. The issue arises during the creation of virtual CPUs (vCPUs) within the KVM hypervisor. Specifically, when the function kvm_arch_vcpu_create() fails to share the vCPU page with the hypervisor, it returns an error but neglects to properly clean up the virtual Generic Interrupt Controller (vGIC) vCPU data structures that were partially initialized. This incomplete cleanup results in a memory leak and, more critically, a use-after-free condition. The use-after-free vulnerability occurs because the redistributor device handling code may attempt to access the now-invalid vCPU data structures, leading to undefined behavior, potential kernel crashes, or escalation of privileges. The patch for this vulnerability involves adding the missing cleanup steps in kvm_arch_vcpu_create() to ensure that all vGIC vCPU structures are properly destroyed if an error occurs during vCPU creation. This vulnerability affects specific Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and was published on May 9, 2025. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a significant risk primarily to environments running ARM64-based Linux systems with KVM virtualization enabled. The use-after-free condition can lead to kernel crashes, resulting in denial of service (availability impact), and potentially allow attackers with local access to escalate privileges or execute arbitrary code within the kernel context, compromising system integrity and confidentiality. Organizations relying on ARM64 servers or edge computing devices using KVM virtualization could face operational disruptions or security breaches if exploited. Given the increasing adoption of ARM64 architectures in data centers and cloud environments across Europe, especially for energy-efficient and high-performance computing, this vulnerability could impact critical infrastructure, cloud service providers, and enterprises using ARM64 virtualized environments. The absence of known exploits currently reduces immediate risk, but the vulnerability's nature means that once exploit techniques are developed, attacks could be severe. Additionally, the vulnerability requires local access and interaction with the KVM interface, limiting remote exploitation but still posing a threat in multi-tenant or shared environments.

European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from their Linux distribution vendors. Since the vulnerability involves kernel-level virtualization components, it is critical to: 1) Audit and inventory all ARM64-based systems running KVM to identify vulnerable hosts. 2) Apply kernel updates or backported patches that include the fix for CVE-2025-37849 promptly. 3) Restrict access to KVM ioctl interfaces to trusted users only, minimizing the risk of local exploitation by unprivileged users. 4) Implement strict access controls and monitoring on virtualization hosts to detect anomalous behavior related to vCPU creation or manipulation. 5) For cloud providers and multi-tenant environments, isolate tenants effectively to prevent lateral movement if exploitation occurs. 6) Consider deploying runtime kernel integrity monitoring tools that can detect use-after-free or memory corruption attempts in the kernel space. 7) Engage with hardware and software vendors to ensure ARM64 virtualization stacks are updated and tested for this vulnerability. These measures go beyond generic advice by focusing on ARM64 KVM-specific controls and operational practices relevant to European infrastructure.