CVE-2025-37991: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately. When the T bit is set, an assist exception trap occurs when when the co-processor encounters *any* floating-point instruction except for a double store of register %fr0. The latter cancels all pending traps. Let's fix this by clearing the Trap (T) bit in the FP status register before returning to the signal handler in userspace. The issue can be reproduced with this test program: root@parisc:~# cat fpe.c static void fpe_func(int sig, siginfo_t *i, void *v) { sigset_t set; sigemptyset(&set); sigaddset(&set, SIGFPE); sigprocmask(SIG_UNBLOCK, &set, NULL); printf("GOT signal %d with si_code %ld\n", sig, i->si_code); } int main() { struct sigaction action = { .sa_sigaction = fpe_func, .sa_flags = SA_RESTART|SA_SIGINFO }; sigaction(SIGFPE, &action, 0); feenableexcept(FE_OVERFLOW); return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308); } root@parisc:~# gcc fpe.c -lm root@parisc:~# ./a.out Floating point exception root@parisc:~# strace -f ./a.out execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 ... rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} --- --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} --- +++ killed by SIGFPE +++ Floating point exception
AI Analysis
Technical Summary
CVE-2025-37991 is a vulnerability identified in the Linux kernel specifically affecting the PA-RISC (parisc) architecture. The issue arises from improper handling of floating-point exceptions (SIGFPE) within signal handlers. On parisc systems, when a SIGFPE exception occurs, the kernel may crash an application with a second SIGFPE triggered inside the signal handler itself. This behavior is due to the way glibc performs atomic updates of function descriptors using double-word floating-point stores, which interacts poorly with the floating-point exception handling mechanism on parisc. The root cause is that the Trap (T) bit in the floating-point status register remains set when returning to user space, causing the co-processor to generate an assist exception trap on any floating-point instruction except a double store of register %fr0. This leads to a cascading failure where the signal handler triggers another SIGFPE, resulting in application termination. The vulnerability can be reproduced with a test program that installs a SIGFPE handler and triggers a floating-point overflow exception. The fix involves clearing the Trap (T) bit in the floating-point status register before returning to the signal handler in user space, preventing the second SIGFPE from occurring. This vulnerability is architecture-specific and affects Linux kernel versions containing the identified commit hashes. There are no known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2025-37991 is primarily relevant to those running Linux on PA-RISC hardware, which is a niche architecture with limited deployment in modern enterprise environments. However, organizations that maintain legacy systems or specialized industrial or scientific equipment using PA-RISC Linux could experience application crashes due to unhandled floating-point exceptions, potentially leading to service disruptions or data processing failures. The vulnerability affects application availability and stability rather than confidentiality or integrity directly. Since the issue triggers a fatal signal in user applications, it could be exploited to cause denial of service conditions in critical systems relying on floating-point computations. The lack of known exploits and the architecture specificity reduce the immediate risk, but organizations with PA-RISC Linux systems should prioritize patching to avoid unexpected application crashes and maintain operational continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patch that clears the Trap (T) bit in the floating-point status register before returning to user space signal handlers on PA-RISC systems. This is the definitive fix for the issue. 2. For organizations unable to immediately patch, consider disabling or limiting the use of floating-point exception handling (SIGFPE) in critical applications to reduce the risk of triggering the vulnerability. 3. Conduct thorough testing of applications that use floating-point operations and signal handlers on PA-RISC Linux systems to identify potential crash scenarios. 4. Monitor system logs for repeated SIGFPE signals or application crashes that could indicate attempts to trigger this vulnerability. 5. Maintain an inventory of PA-RISC Linux systems and assess their criticality to prioritize patch deployment. 6. Engage with Linux distribution vendors or maintainers to ensure timely updates and backports of the fix for affected kernel versions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden
CVE-2025-37991: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately. When the T bit is set, an assist exception trap occurs when when the co-processor encounters *any* floating-point instruction except for a double store of register %fr0. The latter cancels all pending traps. Let's fix this by clearing the Trap (T) bit in the FP status register before returning to the signal handler in userspace. The issue can be reproduced with this test program: root@parisc:~# cat fpe.c static void fpe_func(int sig, siginfo_t *i, void *v) { sigset_t set; sigemptyset(&set); sigaddset(&set, SIGFPE); sigprocmask(SIG_UNBLOCK, &set, NULL); printf("GOT signal %d with si_code %ld\n", sig, i->si_code); } int main() { struct sigaction action = { .sa_sigaction = fpe_func, .sa_flags = SA_RESTART|SA_SIGINFO }; sigaction(SIGFPE, &action, 0); feenableexcept(FE_OVERFLOW); return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308); } root@parisc:~# gcc fpe.c -lm root@parisc:~# ./a.out Floating point exception root@parisc:~# strace -f ./a.out execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 ... rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} --- --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} --- +++ killed by SIGFPE +++ Floating point exception
AI-Powered Analysis
Technical Analysis
CVE-2025-37991 is a vulnerability identified in the Linux kernel specifically affecting the PA-RISC (parisc) architecture. The issue arises from improper handling of floating-point exceptions (SIGFPE) within signal handlers. On parisc systems, when a SIGFPE exception occurs, the kernel may crash an application with a second SIGFPE triggered inside the signal handler itself. This behavior is due to the way glibc performs atomic updates of function descriptors using double-word floating-point stores, which interacts poorly with the floating-point exception handling mechanism on parisc. The root cause is that the Trap (T) bit in the floating-point status register remains set when returning to user space, causing the co-processor to generate an assist exception trap on any floating-point instruction except a double store of register %fr0. This leads to a cascading failure where the signal handler triggers another SIGFPE, resulting in application termination. The vulnerability can be reproduced with a test program that installs a SIGFPE handler and triggers a floating-point overflow exception. The fix involves clearing the Trap (T) bit in the floating-point status register before returning to the signal handler in user space, preventing the second SIGFPE from occurring. This vulnerability is architecture-specific and affects Linux kernel versions containing the identified commit hashes. There are no known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2025-37991 is primarily relevant to those running Linux on PA-RISC hardware, which is a niche architecture with limited deployment in modern enterprise environments. However, organizations that maintain legacy systems or specialized industrial or scientific equipment using PA-RISC Linux could experience application crashes due to unhandled floating-point exceptions, potentially leading to service disruptions or data processing failures. The vulnerability affects application availability and stability rather than confidentiality or integrity directly. Since the issue triggers a fatal signal in user applications, it could be exploited to cause denial of service conditions in critical systems relying on floating-point computations. The lack of known exploits and the architecture specificity reduce the immediate risk, but organizations with PA-RISC Linux systems should prioritize patching to avoid unexpected application crashes and maintain operational continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patch that clears the Trap (T) bit in the floating-point status register before returning to user space signal handlers on PA-RISC systems. This is the definitive fix for the issue. 2. For organizations unable to immediately patch, consider disabling or limiting the use of floating-point exception handling (SIGFPE) in critical applications to reduce the risk of triggering the vulnerability. 3. Conduct thorough testing of applications that use floating-point operations and signal handlers on PA-RISC Linux systems to identify potential crash scenarios. 4. Monitor system logs for repeated SIGFPE signals or application crashes that could indicate attempts to trigger this vulnerability. 5. Maintain an inventory of PA-RISC Linux systems and assess their criticality to prioritize patch deployment. 6. Engage with Linux distribution vendors or maintainers to ensure timely updates and backports of the fix for affected kernel versions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.976Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeae01
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/3/2025, 7:26:54 PM
Last updated: 8/4/2025, 10:08:05 AM
Views: 20
Related Threats
CVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.