CVE-2025-37779
📋 TL;DR
A double-free vulnerability in the Linux kernel's lib/iov_iter component allows memory corruption when processing I/O operations with non-slab folios. This affects Linux systems using EROFS file-backed mounts over v9fs, potentially leading to system crashes or kernel memory corruption. The vulnerability requires specific configurations but affects all Linux distributions using vulnerable kernel versions.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or potential privilege escalation through memory corruption leading to arbitrary code execution in kernel context.
Likely Case
System instability, crashes, or denial of service when processing specific I/O operations with EROFS over v9fs configurations.
If Mitigated
No impact if the vulnerable configuration (EROFS over v9fs) is not used or if proper kernel hardening prevents exploitation.
🎯 Exploit Status
Exploitation requires specific configuration (EROFS over v9fs) and local access. The vulnerability was discovered during testing, not through active exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in kernel commits 770c8d55c42868239c748a3ebc57c9e37755f842 and d833f21162c4d536d729628f8cf1ee8d4110f2b7
Vendor Advisory: https://git.kernel.org/stable/c/770c8d55c42868239c748a3ebc57c9e37755f842
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check your distribution's security advisories for backported patches. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable vulnerable configuration
linuxAvoid using EROFS file-backed mounts over v9fs protocol
# Review mount configurations and avoid EROFS over v9fs setups
🧯 If You Can't Patch
- Avoid using EROFS file-backed mounts over v9fs protocol
- Implement strict access controls to limit who can mount filesystems or use v9fs
🔍 How to Verify
Check if Vulnerable:
Check kernel version and verify if using EROFS over v9fs: 'uname -r' and review /proc/mounts for erofs and 9p entriesCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or check with distribution's security advisory📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- Bad page state errors in dmesg
- folio UAF (use-after-free) messages
Network Indicators:
- None - local vulnerability only
SIEM Query:
Search for: 'Bad page state', 'folio UAF', 'pfn:*' in kernel logs