CVE-2025-37849
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem for ARM64 architecture. When vCPU creation fails, the kernel fails to properly clean up vGIC (virtual Generic Interrupt Controller) structures, potentially allowing attackers to cause memory corruption or kernel crashes. This affects systems running Linux with KVM virtualization on ARM64 hardware.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, potential privilege escalation to kernel mode, or arbitrary code execution in kernel context
Likely Case
Kernel crash or system instability when malicious users trigger vCPU creation failures in KVM
If Mitigated
No impact if KVM is not used or if proper access controls prevent unprivileged users from creating vCPUs
🎯 Exploit Status
Exploitation requires local access and ability to create vCPUs via KVM; timing and memory manipulation would be needed for reliable exploitation
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check kernel commits: 07476e0d932afc53c05468076393ac35d0b4999e, 2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52, 250f25367b58d8c65a1b060a2dda037eea09a672, 5085e02362b9948f82fceca979b8f8e12acb1cc5, c322789613407647a05ff5c451a7bf545fb34e73
Vendor Advisory: https://git.kernel.org/stable/c/07476e0d932afc53c05468076393ac35d0b4999e
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify KVM module loads correctly.
🔧 Temporary Workarounds
Disable KVM on ARM64
linuxPrevent KVM virtualization from being used on affected ARM64 systems
modprobe -r kvm
echo 'blacklist kvm' >> /etc/modprobe.d/blacklist.conf
Restrict KVM access
linuxLimit which users can access KVM devices to prevent exploitation
chmod 600 /dev/kvm
setfacl -m u:root:rw /dev/kvm
🧯 If You Can't Patch
- Restrict KVM device access to trusted users only
- Monitor for failed vCPU creation attempts in system logs
🔍 How to Verify
Check if Vulnerable:
Check kernel version and verify if KVM ARM64 support is enabled: lsmod | grep kvm && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits: git log --oneline | grep -E '07476e0d|2480326e|250f2536|5085e023|c3227896'📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages
- Failed vCPU creation in KVM logs
- System crashes during virtualization operations
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("KVM" AND "vCPU" AND "failed") OR ("Oops" AND "use-after-free")🔗 References
- https://git.kernel.org/stable/c/07476e0d932afc53c05468076393ac35d0b4999e
- https://git.kernel.org/stable/c/2480326eba8ae9ccc5e4c3c2dc8d407db68e3c52
- https://git.kernel.org/stable/c/250f25367b58d8c65a1b060a2dda037eea09a672
- https://git.kernel.org/stable/c/5085e02362b9948f82fceca979b8f8e12acb1cc5
- https://git.kernel.org/stable/c/c322789613407647a05ff5c451a7bf545fb34e73
- https://git.kernel.org/stable/c/f1e9087abaeedec9bf2894a282ee4f0d8383f299
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
