CVE-2025-6365 – This vulnerability in HobbesOSR Kitten's set

Q: What is the severity of CVE-2025-6365?

CVE-2025-6365 has a CVSS score of 5.7 (MEDIUM). This vulnerability in HobbesOSR Kitten's set_pte_at function allows attackers to cause resource consumption (denial of service) by manipulating page table entries. It affects all versions up to commit c4f8b7c3158983d1020af432be1b417b28686736. Users of HobbesOSR Kitten on ARM64 systems are vulnerable.

📋 TL;DR

This vulnerability in HobbesOSR Kitten's set_pte_at function allows attackers to cause resource consumption (denial of service) by manipulating page table entries. It affects all versions up to commit c4f8b7c3158983d1020af432be1b417b28686736. Users of HobbesOSR Kitten on ARM64 systems are vulnerable.

💻 Affected Systems

Products:

HobbesOSR Kitten

Versions: All versions up to commit c4f8b7c3158983d1020af432be1b417b28686736

Operating Systems: Linux-based systems running HobbesOSR Kitten on ARM64 architecture

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects ARM64 architecture due to the vulnerable function location in /include/arch-arm64/pgtable.h. Continuous delivery model means specific version numbers aren't available.

📦 What is this software?

Kitten by Hobbesosr

View all CVEs affecting Kitten →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to resource exhaustion, potentially requiring physical reboot of affected systems.

🟠

Likely Case

Degraded system performance, application crashes, or temporary service interruptions due to resource starvation.

🟢

If Mitigated

Minimal impact with proper resource monitoring and isolation, though some performance degradation may still occur.

🌐 Internet-Facing: MEDIUM - While resource consumption attacks can be launched remotely, exploitation requires specific conditions and targeting.

🏢 Internal Only: MEDIUM - Internal attackers could disrupt critical systems, but requires access to vulnerable components.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of ARM64 page table structures and ability to trigger the vulnerable function. No public exploits have been reported.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit c4f8b7c3158983d1020af432be1b417b28686736

Vendor Advisory: https://github.com/HobbesOSR/kitten/issues/17

Restart Required: Yes

Instructions:

1. Update to the latest HobbesOSR Kitten version after the fix commit. 2. Rebuild and redeploy affected systems. 3. Restart services using the updated kernel/library.

🔧 Temporary Workarounds

Resource Limiting

linux

Implement strict resource limits to contain potential resource exhaustion

# Use cgroups to limit memory and CPU usage
cgcreate -g memory,cpu:/kitten-limited
cgset -r memory.limit_in_bytes=2G /kitten-limited
cgset -r cpu.cfs_quota_us=50000 /kitten-limited

Isolation via Containers

linux

Run vulnerable components in isolated containers with resource constraints

docker run --memory="2g" --cpus="0.5" -d your-kitten-image

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems from untrusted networks
Deploy monitoring for abnormal resource consumption patterns and set up automated alerts

🔍 How to Verify

Check if Vulnerable:

Check if running HobbesOSR Kitten with commit hash at or before c4f8b7c3158983d1020af432be1b417b28686736

Check Version:

git log --oneline -1 | grep -o '[a-f0-9]\{40\}'

Verify Fix Applied:

Verify current commit hash is after c4f8b7c3158983d1020af432be1b417b28686736

📡 Detection & Monitoring

Log Indicators:

Unusual memory allocation patterns
Kernel OOM (Out of Memory) killer events
Process crashes with resource exhaustion errors

Network Indicators:

Unusual traffic patterns to/from affected systems
Multiple connection attempts to trigger the vulnerability

SIEM Query:

source="kernel" AND ("out of memory" OR "oom" OR "resource exhaustion") AND process="kitten"

📊 Metadata

CVE ID: CVE-2025-6365

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.09% exploit probability (25.7th percentile)

Published: June 20, 2025

Last Updated: September 30, 2025

🔗 References

https://github.com/HobbesOSR/kitten/issues/17 Exploit,Issue Tracking,Vendor Advisory
https://vuldb.com/?ctiid.313358 Permissions Required,VDB Entry
https://vuldb.com/?id.313358 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.597382 Third Party Advisory,VDB Entry
https://github.com/HobbesOSR/kitten/issues/17 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6365, you might also want to check these: