CVE-2025-37929: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Commit a5951389e58d ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists") added some additional CPUs to the Spectre-BHB workaround, including some new arrays for designs that require new 'k' values for the workaround to be effective. Unfortunately, the new arrays omitted the sentinel entry and so is_midr_in_range_list() will walk off the end when it doesn't find a match. With UBSAN enabled, this leads to a crash during boot when is_midr_in_range_list() is inlined (which was more common prior to c8c2647e69be ("arm64: Make _midr_in_range_list() an exported function")): | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : spectre_bhb_loop_affected+0x28/0x30 | lr : is_spectre_bhb_affected+0x170/0x190 | [...] | Call trace: | spectre_bhb_loop_affected+0x28/0x30 | update_cpu_capabilities+0xc0/0x184 | init_cpu_features+0x188/0x1a4 | cpuinfo_store_boot_cpu+0x4c/0x60 | smp_prepare_boot_cpu+0x38/0x54 | start_kernel+0x8c/0x478 | __primary_switched+0xc8/0xd4 | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020) | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: aarch64 BRK: Fatal exception Add the missing sentinel entries.
AI Analysis
Technical Summary
CVE-2025-37929 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture. The issue arises from a missing sentinel entry in the arrays used for the Spectre-BHB (Branch History Buffer) mitigation. The Spectre-BHB vulnerability is a speculative execution side-channel attack targeting certain ARM CPUs. To mitigate this, the Linux kernel maintains lists of CPU MIDRs (Model ID Registers) that require specific workarounds. In commit a5951389e58d, new ARM cores were added to the Spectre-BHB workaround lists, including new arrays with updated 'k' values necessary for effective mitigation. However, these new arrays omitted the sentinel entries that mark the end of the list. Consequently, the function is_midr_in_range_list(), which checks if a CPU MIDR is within these lists, can walk off the end of the array when no match is found. This leads to undefined behavior and, when the Undefined Behavior Sanitizer (UBSAN) is enabled, causes a kernel crash during boot. The crash manifests as a kernel panic with an internal error indicating a fatal exception on aarch64 architecture. The problem is particularly triggered when is_midr_in_range_list() is inlined, a behavior more common prior to a later commit that changed the function's export status. The fix involves adding the missing sentinel entries to the arrays to prevent out-of-bounds access. This vulnerability does not appear to be exploitable for code execution or privilege escalation but results in denial of service due to kernel panic during system startup on affected ARM64 Linux systems with UBSAN enabled. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations running Linux on ARM64 platforms, especially those using kernels compiled with UBSAN or similar sanitizers, this vulnerability can cause system instability and denial of service during boot. This is particularly relevant for embedded systems, ARM-based servers, and edge devices that rely on Linux kernels with these specific commits. The inability to boot can disrupt critical services, leading to operational downtime. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant for infrastructure relying on ARM64 Linux systems. Organizations deploying ARM64-based Linux in cloud environments, telecommunications, IoT, or industrial control systems may face service interruptions. The impact is mitigated if UBSAN is not enabled or if systems do not use the affected kernel versions. However, the presence of this bug in official Linux kernel releases means that unpatched systems could encounter boot failures after kernel updates or during system initialization, affecting maintenance and deployment processes.
Mitigation Recommendations
1. Apply the official Linux kernel patch that adds the missing sentinel entries to the Spectre-BHB MIDR arrays as soon as it becomes available. Monitor Linux kernel mailing lists and vendor advisories for updated stable kernel releases addressing CVE-2025-37929. 2. Avoid using kernel builds with UBSAN enabled in production environments unless necessary for debugging, as UBSAN triggers the crash. 3. For systems that must use UBSAN-enabled kernels, consider temporarily reverting to earlier kernel versions prior to the problematic commit or disabling the Spectre-BHB workaround if acceptable and safe. 4. Implement robust testing and validation of kernel updates in staging environments, particularly for ARM64 platforms, to detect boot-time crashes before deployment. 5. Maintain backup and recovery procedures to restore systems that fail to boot due to this issue. 6. Engage with hardware and Linux distribution vendors to ensure timely patch distribution and support for affected ARM64 platforms. 7. For embedded and IoT devices, coordinate firmware and kernel updates carefully to avoid bricking devices in the field.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2025-37929: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Commit a5951389e58d ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists") added some additional CPUs to the Spectre-BHB workaround, including some new arrays for designs that require new 'k' values for the workaround to be effective. Unfortunately, the new arrays omitted the sentinel entry and so is_midr_in_range_list() will walk off the end when it doesn't find a match. With UBSAN enabled, this leads to a crash during boot when is_midr_in_range_list() is inlined (which was more common prior to c8c2647e69be ("arm64: Make _midr_in_range_list() an exported function")): | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : spectre_bhb_loop_affected+0x28/0x30 | lr : is_spectre_bhb_affected+0x170/0x190 | [...] | Call trace: | spectre_bhb_loop_affected+0x28/0x30 | update_cpu_capabilities+0xc0/0x184 | init_cpu_features+0x188/0x1a4 | cpuinfo_store_boot_cpu+0x4c/0x60 | smp_prepare_boot_cpu+0x38/0x54 | start_kernel+0x8c/0x478 | __primary_switched+0xc8/0xd4 | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020) | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: aarch64 BRK: Fatal exception Add the missing sentinel entries.
AI-Powered Analysis
Technical Analysis
CVE-2025-37929 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture. The issue arises from a missing sentinel entry in the arrays used for the Spectre-BHB (Branch History Buffer) mitigation. The Spectre-BHB vulnerability is a speculative execution side-channel attack targeting certain ARM CPUs. To mitigate this, the Linux kernel maintains lists of CPU MIDRs (Model ID Registers) that require specific workarounds. In commit a5951389e58d, new ARM cores were added to the Spectre-BHB workaround lists, including new arrays with updated 'k' values necessary for effective mitigation. However, these new arrays omitted the sentinel entries that mark the end of the list. Consequently, the function is_midr_in_range_list(), which checks if a CPU MIDR is within these lists, can walk off the end of the array when no match is found. This leads to undefined behavior and, when the Undefined Behavior Sanitizer (UBSAN) is enabled, causes a kernel crash during boot. The crash manifests as a kernel panic with an internal error indicating a fatal exception on aarch64 architecture. The problem is particularly triggered when is_midr_in_range_list() is inlined, a behavior more common prior to a later commit that changed the function's export status. The fix involves adding the missing sentinel entries to the arrays to prevent out-of-bounds access. This vulnerability does not appear to be exploitable for code execution or privilege escalation but results in denial of service due to kernel panic during system startup on affected ARM64 Linux systems with UBSAN enabled. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations running Linux on ARM64 platforms, especially those using kernels compiled with UBSAN or similar sanitizers, this vulnerability can cause system instability and denial of service during boot. This is particularly relevant for embedded systems, ARM-based servers, and edge devices that rely on Linux kernels with these specific commits. The inability to boot can disrupt critical services, leading to operational downtime. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant for infrastructure relying on ARM64 Linux systems. Organizations deploying ARM64-based Linux in cloud environments, telecommunications, IoT, or industrial control systems may face service interruptions. The impact is mitigated if UBSAN is not enabled or if systems do not use the affected kernel versions. However, the presence of this bug in official Linux kernel releases means that unpatched systems could encounter boot failures after kernel updates or during system initialization, affecting maintenance and deployment processes.
Mitigation Recommendations
1. Apply the official Linux kernel patch that adds the missing sentinel entries to the Spectre-BHB MIDR arrays as soon as it becomes available. Monitor Linux kernel mailing lists and vendor advisories for updated stable kernel releases addressing CVE-2025-37929. 2. Avoid using kernel builds with UBSAN enabled in production environments unless necessary for debugging, as UBSAN triggers the crash. 3. For systems that must use UBSAN-enabled kernels, consider temporarily reverting to earlier kernel versions prior to the problematic commit or disabling the Spectre-BHB workaround if acceptable and safe. 4. Implement robust testing and validation of kernel updates in staging environments, particularly for ARM64 platforms, to detect boot-time crashes before deployment. 5. Maintain backup and recovery procedures to restore systems that fail to boot due to this issue. 6. Engage with hardware and Linux distribution vendors to ensure timely patch distribution and support for affected ARM64 platforms. 7. For embedded and IoT devices, coordinate firmware and kernel updates carefully to avoid bricking devices in the field.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.970Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeaf9a
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/4/2025, 1:54:47 AM
Last updated: 7/31/2025, 4:32:02 PM
Views: 20
Related Threats
CVE-2025-8841: Unrestricted Upload in zlt2000 microservices-platform
MediumCVE-2025-8840: Improper Authorization in jshERP
MediumCVE-2025-8853: CWE-290 Authentication Bypass by Spoofing in 2100 Technology Official Document Management System
CriticalCVE-2025-8838: Improper Authentication in WinterChenS my-site
MediumCVE-2025-8837: Use After Free in JasPer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.