CVE-2025-37908 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the slab allocator's handling of memory allocation profiling data structures. The flaw arises when memory allocation profiling is disabled either at runtime or due to an error condition. In such cases, the function shutdown_mem_profiling() is invoked, but the slab->obj_exts structure, which holds extended metadata for slab objects, remains allocated and is not properly cleaned up. This occurs because the unaccount_slab() function, responsible for cleaning up slab accounting data, only clears slab->obj_exts if memory allocation profiling is enabled (mem_alloc_profiling_enabled() returns true). The incorrect logic leads to slab->obj_exts persisting beyond its intended lifecycle. As a result, this can cause kernel memory accounting inconsistencies, leading to a "BUG: Bad page state in process" error and pages being incorrectly charged to cgroups. This bug can cause kernel instability, potential memory leaks, and system crashes due to corrupted memory accounting states. The vulnerability is rooted in a logic error in the kernel's memory profiling cleanup code and affects Linux kernel versions identified by the commit hash 21c690a349baab895dc68ab70d291e1598d7109d. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The fix involves ensuring slab->obj_exts is always cleaned up in unaccount_slab(), regardless of the profiling state, preventing the bad page state errors and improving kernel robustness.

For European organizations relying on Linux-based systems, this vulnerability poses a risk primarily to system stability and availability. Servers, cloud infrastructure, and embedded devices running affected Linux kernel versions may experience kernel panics or crashes due to corrupted memory accounting states. This can lead to unexpected downtime, service interruptions, and potential data loss if critical processes are terminated abruptly. Although this vulnerability does not directly expose confidentiality or integrity risks, the resulting denial of service conditions can disrupt business operations, especially for organizations with high availability requirements such as financial institutions, healthcare providers, and critical infrastructure operators. Additionally, environments using cgroups extensively for resource management and container orchestration (e.g., Kubernetes clusters) may see more pronounced effects, as the bug involves pages still charged to cgroups incorrectly. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to maintain system reliability and prevent potential exploitation by attackers who might trigger the bug to cause denial of service.

European organizations should prioritize updating their Linux kernels to the patched versions that include the fix for CVE-2025-37908. Since the vulnerability involves kernel memory management internals, applying vendor-supplied kernel updates or patches is the most effective mitigation. Organizations should: 1) Identify all systems running affected Linux kernel versions, including servers, virtual machines, and container hosts. 2) Test and deploy kernel updates from trusted Linux distributions or kernel maintainers promptly. 3) Monitor system logs for kernel BUG messages or memory accounting errors that may indicate attempts to trigger this vulnerability. 4) For environments using memory allocation profiling tools, review profiling configurations to ensure they do not inadvertently disable profiling in a way that triggers this bug. 5) Implement robust system monitoring and automated recovery mechanisms to minimize downtime in case of kernel crashes. 6) Engage with Linux vendor support channels for guidance on backporting patches if immediate kernel upgrades are not feasible. Avoid manual kernel modifications unless performed by experienced personnel, as incorrect changes can worsen system stability.