CVE-2025-37991 – A double free vulnerability in the Linux kernel... (How to Fix)

Q: What is the severity of CVE-2025-37991?

CVE-2025-37991 has a CVSS score of 7.8 (HIGH). A double free vulnerability in the Linux kernel's parisc architecture causes applications to crash when handling SIGFPE signals. This occurs due to improper handling of floating-point assist exceptions during lazy binding in glibc. Systems running Linux on parisc (PA-RISC) architecture are affected.

📋 TL;DR

A double free vulnerability in the Linux kernel's parisc architecture causes applications to crash when handling SIGFPE signals. This occurs due to improper handling of floating-point assist exceptions during lazy binding in glibc. Systems running Linux on parisc (PA-RISC) architecture are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific versions with the parisc architecture fix; check kernel commit history for exact ranges.

Operating Systems: Linux distributions running on PA-RISC (parisc) architecture

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with PA-RISC architecture; x86, ARM, and other architectures are not vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or denial of service affecting all applications on the system, potentially leading to data loss or service disruption.

🟠

Likely Case

Application crashes when encountering floating-point exceptions, causing service interruptions for affected programs.

🟢

If Mitigated

Limited to specific applications that trigger floating-point exceptions on parisc systems.

🌐 Internet-Facing: LOW - Requires local access and specific conditions to trigger.

🏢 Internal Only: MEDIUM - Could affect critical internal services running on parisc systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

The provided test program demonstrates the crash, but exploitation requires local access and specific conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6 or later

Vendor Advisory: https://git.kernel.org/stable/c/2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version. 2. Reboot system to load new kernel. 3. Verify kernel version with 'uname -r'.

🔧 Temporary Workarounds

Disable floating-point exception handling

linux

Prevent applications from enabling floating-point exceptions via feenableexcept()

# Monitor for applications using feenableexcept()
# Consider restricting such applications if possible

🧯 If You Can't Patch

Isolate parisc systems from critical services
Monitor for application crashes related to SIGFPE signals

🔍 How to Verify

Check if Vulnerable:

Run the test program from the CVE description on a parisc system; if it crashes with double SIGFPE, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Run the same test program; it should complete without crashing.

📡 Detection & Monitoring

Log Indicators:

Multiple SIGFPE signals in quick succession
Application crashes with floating-point exceptions

Network Indicators:

None - local vulnerability only

SIEM Query:

search 'SIGFPE' OR 'floating point exception' in system logs

📊 Metadata

CVE ID: CVE-2025-37991

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-415

EPSS Score: 0.02% exploit probability (5th percentile)

Published: May 20, 2025

Last Updated: December 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37991, you might also want to check these: