CVE-2025-37773 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2025-37773?

CVE-2025-37773 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's virtiofs filesystem driver could cause kernel panics when source name is NULL during fuzz testing or other edge cases. This affects systems using virtiofs for filesystem sharing between host and guest VMs. The vulnerability requires local access to trigger.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's virtiofs filesystem driver could cause kernel panics when source name is NULL during fuzz testing or other edge cases. This affects systems using virtiofs for filesystem sharing between host and guest VMs. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:

Linux kernel with virtiofs support

Versions: Specific kernel versions containing the vulnerable virtiofs code (check git commits for exact ranges)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using virtiofs feature. Many cloud providers and virtualization platforms use virtiofs for container/VM filesystem sharing.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

System crash or instability when virtiofs encounters malformed requests, requiring system reboot to recover.

🟢

If Mitigated

Minor service interruption with automatic recovery if systems are configured for high availability.

🌐 Internet-Facing: LOW - Requires local access to virtiofs interface, not directly exposed to internet.

🏢 Internal Only: MEDIUM - Could be exploited by malicious local users or compromised containers/VMs to crash the host kernel.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access to trigger via virtiofs interface. Likely discovered through fuzz testing as mentioned in description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 599d1e2a6aecc44acf22fe7ea6f5e84a7e526abe, 5ee09cdaf3414f6c92960714af46d3d90eede2f3, 9d6dcf18a1b49990295ac8a05fd9bdfd27ccbf88, a648d80f8d9b208beee03a2d9aa690cfacf1d41e, a94fd938df2b1628da66b498aa0eeb89593bc7a2

Vendor Advisory: https://git.kernel.org/stable/c/599d1e2a6aecc44acf22fe7ea6f5e84a7e526abe

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable virtiofs

linux

Disable virtiofs feature if not required, preventing exploitation vector.

Check if virtiofs is in use: lsmod | grep virtiofs
Remove module: sudo rmmod virtiofs
Blacklist module: echo 'blacklist virtiofs' | sudo tee /etc/modprobe.d/blacklist-virtiofs.conf

🧯 If You Can't Patch

Restrict local user access to systems using virtiofs
Implement strict container/VM isolation to limit potential attack surface

🔍 How to Verify

Check if Vulnerable:

Check kernel version and verify if virtiofs module is loaded: uname -r && lsmod | grep virtiofs

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to patched version and check git commit history includes the fix commits.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/kern.log or dmesg
System crash/reboot events
virtiofs-related error messages

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kern.log" AND "kernel panic" AND "virtiofs" OR source="dmesg" AND "Oops" AND "virtiofs"

📊 Metadata

CVE ID: CVE-2025-37773

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score: 0.03% exploit probability (6.2th percentile)

Published: May 1, 2025

Last Updated: November 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON