Login Sign Up

CVE-2025-37975

7.1 HIGH
Denial of Service

📋 TL;DR

This CVE describes an out-of-bounds memory access vulnerability in the RISC-V module loader of the Linux kernel. An attacker could exploit this to cause kernel crashes or potentially execute arbitrary code. Systems running Linux kernels with RISC-V architecture support are affected.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not specified in CVE description, but likely multiple stable kernel versions before the fix commits.
Operating Systems: Linux distributions with RISC-V architecture support
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using RISC-V architecture. Requires ability to load kernel modules or trigger the vulnerable code path.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to denial of service, or potential arbitrary code execution with kernel privileges resulting in complete system compromise.

🟠

Likely Case

Kernel crash or system instability requiring reboot, leading to denial of service.

🟢

If Mitigated

No impact if kernel modules are properly sandboxed or if the vulnerable code path isn't triggered.

🌐 Internet-Facing: LOW - This requires local access or ability to load kernel modules, which typically isn't exposed to internet-facing services.
🏢 Internal Only: MEDIUM - Malicious local users or compromised services with appropriate privileges could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and ability to trigger the out-of-bounds access in the module loader. No public exploit code is mentioned in the CVE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits 0b4cce68efb93e31a8e51795d696df6e379cb41c, 95e4e1c1cf614d125f159db9726b7abb32e18385, or a068ea00009d373d825c528f9c168501519211b4

Vendor Advisory: https://git.kernel.org/stable/c/0b4cce68efb93e31a8e51795d696df6e379cb41c

Restart Required: Yes

Instructions:

1. Update to a patched Linux kernel version containing the fix commits. 2. Reboot the system to load the new kernel. 3. Verify the fix is applied by checking kernel version.

🔧 Temporary Workarounds

Restrict kernel module loading

linux

Prevent unauthorized kernel module loading to reduce attack surface

echo 1 > /proc/sys/kernel/modules_disabled
sysctl -w kernel.modules_disabled=1

Disable RISC-V module support if not needed

linux

Remove RISC-V architecture support if not required

Remove RISC-V kernel modules and recompile kernel without RISC-V support

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from loading kernel modules
  • Monitor system logs for kernel crashes or suspicious module loading activity

🔍 How to Verify

Check if Vulnerable:

Check if running a Linux kernel with RISC-V support and if kernel version predates the fix commits. Use: uname -r and check kernel source for vulnerable code.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes one of the fix commits: 0b4cce68efb93e31a8e51795d696df6e379cb41c, 95e4e1c1cf614d125f159db9726b7abb32e18385, or a068ea00009d373d825c528f9c168501519211b4

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • System crash logs
  • Unexpected module loading attempts

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

search 'kernel panic' OR 'system crash' OR 'segmentation fault' in kernel logs

📊 Metadata

CVE ID: CVE-2025-37975
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
EPSS Score: 0.02% exploit probability (4.5th percentile)
Published: May 20, 2025
Last Updated: November 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37975, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)