CVE-2025-37929 – A missing sentinel entry in ARM64 Spectre-BHB w... (How to Fix)

Q: What is the severity of CVE-2025-37929?

CVE-2025-37929 has a CVSS score of 5.5 (MEDIUM). A missing sentinel entry in ARM64 Spectre-BHB workaround arrays in the Linux kernel causes a kernel panic during boot when UBSAN (Undefined Behavior Sanitizer) is enabled. This affects ARM64 systems running vulnerable Linux kernel versions, leading to denial of service rather than security compromise. The vulnerability is triggered during CPU capability initialization at boot time.

📋 TL;DR

A missing sentinel entry in ARM64 Spectre-BHB workaround arrays in the Linux kernel causes a kernel panic during boot when UBSAN (Undefined Behavior Sanitizer) is enabled. This affects ARM64 systems running vulnerable Linux kernel versions, leading to denial of service rather than security compromise. The vulnerability is triggered during CPU capability initialization at boot time.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific versions between commits a5951389e58d and the fix commits; check kernel git history for exact ranges

Operating Systems: Linux distributions running on ARM64 architecture

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when UBSAN (Undefined Behavior Sanitizer) is enabled in kernel configuration. Most production systems do not enable UBSAN by default.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

System fails to boot completely, resulting in permanent denial of service requiring physical intervention or recovery procedures.

🟠

Likely Case

Boot failure on ARM64 systems with UBSAN enabled, preventing system startup and requiring kernel patching or configuration changes.

🟢

If Mitigated

No impact on systems without UBSAN enabled or with patched kernels.

🌐 Internet-Facing: LOW - This is a boot-time crash vulnerability, not remotely exploitable for code execution or data access.

🏢 Internal Only: MEDIUM - Can cause production outages on affected ARM64 servers, but requires specific kernel configuration (UBSAN enabled).

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW - Triggering requires booting affected system with UBSAN enabled

This is a crash vulnerability, not a traditional security exploit. It's triggered during normal boot process on vulnerable configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits 090c8714efe1c3c470301cc2f794c1ee2a57746c, 333579202f09e260e8116321df4c55f80a19b160, 3821cae9bd5a99a42d3d0be1b58e41f072cd4c4c, 446289b8b36b2ee98dabf6388acbddcc33ed41be, or 6266b3509b2c6ebf2f9daf2239ff8eb60c5f5bd3

Vendor Advisory: https://git.kernel.org/stable/c/090c8714efe1c3c470301cc2f794c1ee2a57746c

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Disable UBSAN

linux

Disable Undefined Behavior Sanitizer in kernel configuration to prevent the crash

Rebuild kernel with CONFIG_UBSAN=n or boot with 'ubsan=0' kernel parameter

🧯 If You Can't Patch

Ensure UBSAN is disabled in kernel configuration
Use unaffected kernel versions or architectures

🔍 How to Verify

Check if Vulnerable:

Check if kernel was built with UBSAN enabled and if running on ARM64 architecture with affected kernel version range

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes one of the fix commits: 090c8714efe1c3c470301cc2f794c1ee2a57746c or related patches

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages during boot mentioning 'aarch64 BRK: Fatal exception' or 'spectre_bhb_loop_affected'

Network Indicators:

System becoming unresponsive/unreachable after reboot

SIEM Query:

Search for kernel panic events with 'BRK' or 'spectre_bhb' in system logs

📊 Metadata

CVE ID: CVE-2025-37929

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.04% exploit probability (12.2th percentile)

Published: May 20, 2025

Last Updated: November 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37929, you might also want to check these: