CVE-2025-6365 is a vulnerability identified in the HobbesOSR Kitten product, specifically affecting the function set_pte_at within the ARM64 architecture page table header file (/include/arch-arm64/pgtable.h). The vulnerability leads to resource consumption, which implies that an attacker can manipulate the function to cause excessive use of system resources such as CPU, memory, or other kernel-level resources. This can degrade system performance or potentially lead to denial of service conditions. The vulnerability is classified as critical by the source but carries a CVSS 4.0 score of 6.9, indicating a medium severity level. The CVSS vector indicates that the attack requires adjacent network access (AV:A), low attack complexity (AC:L), no privileges required (PR:L - low privileges), no user interaction (UI:N), and no impact on confidentiality, integrity, or availability directly, but a high impact on resource availability (VA:H). The product uses continuous delivery with rolling releases, so specific version details for affected or patched releases are not available, complicating patch management and vulnerability tracking. No known exploits are reported in the wild at this time. The vulnerability affects the ARM64 architecture implementation of the page table entry setting function, which is a critical part of memory management in the kernel, suggesting that exploitation could impact systems running HobbesOSR Kitten on ARM64 platforms.

For European organizations, the primary impact of this vulnerability is the potential for resource exhaustion attacks that could degrade or disrupt critical systems running HobbesOSR Kitten on ARM64 hardware. This could affect availability of services, especially in environments where ARM64-based servers or embedded devices are used, such as telecommunications infrastructure, IoT deployments, or edge computing nodes. Given the medium CVSS score and the requirement for adjacent network access and low privileges, attackers within the same network segment could exploit this vulnerability to cause denial of service conditions without needing user interaction. This could disrupt business operations, cause downtime, and potentially impact critical infrastructure services. The lack of detailed versioning and patch information complicates timely remediation, increasing the window of exposure. Since HobbesOSR Kitten is a niche or specialized product, the impact is likely concentrated in organizations using this specific OS or kernel variant, but those organizations could face significant operational risks.

1. Network Segmentation: Limit access to systems running HobbesOSR Kitten on ARM64 to trusted network segments to reduce the risk of adjacent network attackers exploiting the vulnerability. 2. Monitoring and Resource Limits: Implement monitoring of system resource usage and configure resource limits (e.g., cgroups or kernel resource quotas) to detect and mitigate abnormal resource consumption patterns. 3. Vendor Coordination: Engage with HobbesOSR for timely updates or patches despite the rolling release model; subscribe to vendor security advisories to receive notifications. 4. Access Controls: Restrict low-privilege user access on affected systems to minimize the risk of exploitation since low privileges are sufficient to exploit this vulnerability. 5. Incident Response Preparedness: Prepare incident response plans to quickly identify and respond to potential denial of service or resource exhaustion incidents. 6. Alternative Platforms: Where feasible, consider migrating critical workloads to more widely supported operating systems with established patching and support mechanisms to reduce dependency on niche products with limited vulnerability management visibility.