CVE-2025-37996 — Use of Uninitialized Resource in Linux
Severity
5.5MEDIUMNVD
OSV7.8
EPSS
0.1%
top 77.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 29
Latest updateAug 28
Description
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort()
Commit fce886a60207 ("KVM: arm64: Plumb the pKVM MMU in KVM") made the
initialization of the local memcache variable in user_mem_abort()
conditional, leaving a codepath where it is used uninitialized via
kvm_pgtable_stage2_map().
This can fail on any path that requires a stage-2 allocation
without transition via a permission fault or dirty logging.
Fix this b…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages3 packages
▶CVEListV5linux/linuxfce886a6020734d6253c2c5a3bc285e385cc5496 — a26d50f8a4a5049e956984797b5d0dedea4bbb18+2
Patches
🔴Vulnerability Details
5OSV▶
linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-oracle, linux-oracle-6.14, linux-raspi, linux-realtime vulnerabilities↗2025-08-18
OSV▶
CVE-2025-37996: In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort() Commit fce886a6↗2025-05-29
GHSA▶
GHSA-v8pp-m355-r6cw: In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort()
Commit fce886↗2025-05-29
📋Vendor Advisories
5Debian▶
CVE-2025-37996: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: arm64:...↗2025