CVE-2025-37841
📋 TL;DR
This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's cpupower benchmarking tool. If memory allocation fails, the system could crash or become unstable. This affects Linux systems using cpupower with insufficient memory.
💻 Affected Systems
- Linux kernel cpupower utility
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service
Likely Case
Application crash or system instability when cpupower bench runs with low memory
If Mitigated
Minor performance impact with proper memory management
🎯 Exploit Status
Requires ability to run cpupower bench with controlled memory conditions
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel versions containing the fix commits
Vendor Advisory: https://git.kernel.org/stable/c/0e297a02e03dceb2874789ca40bd4e65c5371704
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version
2. Rebuild cpupower if compiled separately
3. Reboot system to load new kernel
🔧 Temporary Workarounds
Limit cpupower bench usage
linuxRestrict execution of cpupower bench to prevent triggering the vulnerability
chmod 700 /usr/bin/cpupower
setcap -r /usr/bin/cpupower
Ensure adequate memory
linuxMaintain sufficient system memory to prevent malloc failures
sysctl -w vm.min_free_kbytes=65536
echo 3 > /proc/sys/vm/drop_caches
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from running cpupower bench
- Monitor system memory usage and ensure adequate free memory is always available
🔍 How to Verify
Check if Vulnerable:
Check kernel version and cpupower source for NULL check on malloc in bench moduleCheck Version:
uname -r && cpupower --versionVerify Fix Applied:
Verify kernel version includes fix commits or test cpupower bench under low memory conditions📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- cpupower crash logs
- Out of memory errors
Network Indicators:
- None - local vulnerability only
SIEM Query:
search 'kernel panic' OR 'cpupower' AND 'segmentation fault'🔗 References
- https://git.kernel.org/stable/c/0e297a02e03dceb2874789ca40bd4e65c5371704
- https://git.kernel.org/stable/c/208baa3ec9043a664d9acfb8174b332e6b17fb69
- https://git.kernel.org/stable/c/34a9394794b0f97af6afedc0c9ee2012c24b28ed
- https://git.kernel.org/stable/c/5e38122aa3fd0f9788186e86a677925bfec0b2d1
- https://git.kernel.org/stable/c/79bded9d70142d2a11d931fc029afece471641db
- https://git.kernel.org/stable/c/87b9f0867c0afa7e892f4b30c36cff6bf2707f85
- https://git.kernel.org/stable/c/942a4b97fc77516678b1d8af1521ff9a94c13b3e
- https://git.kernel.org/stable/c/ceec06f464d5cfc0ba966225f7d50506ceb62242
- https://git.kernel.org/stable/c/f8d28fa305b78c5d1073b63f26db265ba8291ae1
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
