Login Sign Up

CVE-2025-39737

5.5 MEDIUM

📋 TL;DR

This CVE describes a soft lockup vulnerability in the Linux kernel's kmemleak memory leak detector. When kmemleak disables itself due to memory exhaustion, the cleanup process can cause a CPU to become unresponsive for extended periods. This affects systems running debug kernels with kmemleak enabled during memory-intensive operations.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not explicitly stated, but patches are available in stable kernel trees
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ✅ No
Notes: Only affects systems with CONFIG_DEBUG_KMEMLEAK enabled and CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to large values (like 40,000). Debug kernels with kmemleak during memory exhaustion scenarios.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unresponsiveness requiring hard reboot, potentially causing service disruption and data loss.

🟠

Likely Case

Temporary system slowdown or unresponsiveness during kmemleak cleanup operations, requiring manual intervention.

🟢

If Mitigated

Minor performance degradation with automatic recovery via cond_resched() calls.

🌐 Internet-Facing: LOW - This is a local kernel vulnerability requiring specific debug configurations.
🏢 Internal Only: MEDIUM - Can affect internal systems running debug kernels with kmemleak enabled during memory pressure scenarios.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and specific kernel configurations. The vulnerability is triggered by memory exhaustion causing kmemleak to disable itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (commits referenced in CVE)

Vendor Advisory: https://git.kernel.org/stable/c/1ef72a7fedc5bca70e8cc980985790de10d407aa

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution's repository. 2. Reboot the system to load the new kernel. 3. Verify the kernel version matches the patched release.

🔧 Temporary Workarounds

Disable kmemleak

linux

Disable the kmemleak memory leak detector in kernel configuration

echo 0 > /sys/kernel/debug/kmemleak

Reduce kmemleak memory pool

linux

Decrease CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE to prevent memory exhaustion

Rebuild kernel with reduced CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE value

🧯 If You Can't Patch

  • Avoid running debug kernels with kmemleak enabled in production environments
  • Monitor system memory usage and avoid memory exhaustion scenarios that trigger kmemleak cleanup

🔍 How to Verify

Check if Vulnerable:

Check if kmemleak is enabled: cat /sys/kernel/debug/kmemleak 2>/dev/null || echo 'kmemleak not enabled'

Check Version:

uname -r

Verify Fix Applied:

Check kernel version against patched releases and verify system doesn't experience soft lockups during memory pressure

📡 Detection & Monitoring

Log Indicators:

  • watchdog: BUG: soft lockup - CPU#X stuck for Ys! [kworker/X:Y:Z]
  • kmemleak: Cannot allocate a kmemleak_object structure
  • kmemleak: Kernel memory leak detector disabled

Network Indicators:

  • None - this is a local kernel issue

SIEM Query:

source="kernel" AND ("soft lockup" OR "kmemleak" OR "watchdog: BUG")

📊 Metadata

CVE ID: CVE-2025-39737
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-401
EPSS Score: 0.01% exploit probability (1th percentile)
Published: September 11, 2025
Last Updated: January 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-39737, you might also want to check these:

CVE-2021-40633 8.8

CVE-2021-40633 is a memory leak vulnerability in gif2rgb, a utility in giflib 5.1.4, allowing remote...

Same vulnerability type (CWE-401)
CVE-2021-3492 8.8

CVE-2021-3492 is a kernel vulnerability in Ubuntu's Shiftfs filesystem where improper error handling...

Same vulnerability type (CWE-401)
CVE-2024-25450 8.8

CVE-2024-25450 is a memory allocation vulnerability in imlib2 v1.9.1's init_imlib_fonts() function t...

Same vulnerability type (CWE-401)