CVE-2025-37996

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37996
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37996.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-37996
Downstream
Published
2025-05-29T13:15:54Z
Modified
2025-10-18T01:30:21.293411Z
Summary
KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort()
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Fix uninitialized memcache pointer in usermemabort()

Commit fce886a60207 ("KVM: arm64: Plumb the pKVM MMU in KVM") made the initialization of the local memcache variable in usermemabort() conditional, leaving a codepath where it is used uninitialized via kvmpgtablestage2_map().

This can fail on any path that requires a stage-2 allocation without transition via a permission fault or dirty logging.

Fix this by making sure that memcache is always valid.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fce886a6020734d6253c2c5a3bc285e385cc5496
Fixed
a26d50f8a4a5049e956984797b5d0dedea4bbb18
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fce886a6020734d6253c2c5a3bc285e385cc5496
Fixed
157dbc4a321f5bb6f8b6c724d12ba720a90f1a7c

Affected versions

v6.*

v6.13
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.14.5
v6.14.6
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "id": "CVE-2025-37996-203f51ad",
        "target": {
            "file": "arch/arm64/kvm/mmu.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@157dbc4a321f5bb6f8b6c724d12ba720a90f1a7c",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "69666031120562081488402290252911069498",
                "54344594298927433486551814461954678702",
                "105001716935880983028567382602018954231",
                "255777498674459255736828081634927190613",
                "125539676477983577120005362982048626",
                "89690763149274303858606562438877171349",
                "312275967343983192618416825411143289640",
                "231686796399277311033788344234635001843",
                "62729546829049460798364510626055046799",
                "302844728349091177700705063726493098126",
                "303902448900760352504384585839824255724",
                "62374437545604166718928973611909502278"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2025-37996-335c813d",
        "target": {
            "function": "user_mem_abort",
            "file": "arch/arm64/kvm/mmu.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a26d50f8a4a5049e956984797b5d0dedea4bbb18",
        "signature_version": "v1",
        "digest": {
            "function_hash": "123498371865048947309567115381901045016",
            "length": 4059.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2025-37996-3a37f4c2",
        "target": {
            "function": "user_mem_abort",
            "file": "arch/arm64/kvm/mmu.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@157dbc4a321f5bb6f8b6c724d12ba720a90f1a7c",
        "signature_version": "v1",
        "digest": {
            "function_hash": "123498371865048947309567115381901045016",
            "length": 4059.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2025-37996-b1be05b8",
        "target": {
            "file": "arch/arm64/kvm/mmu.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a26d50f8a4a5049e956984797b5d0dedea4bbb18",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "69666031120562081488402290252911069498",
                "54344594298927433486551814461954678702",
                "105001716935880983028567382602018954231",
                "255777498674459255736828081634927190613",
                "125539676477983577120005362982048626",
                "89690763149274303858606562438877171349",
                "312275967343983192618416825411143289640",
                "231686796399277311033788344234635001843",
                "62729546829049460798364510626055046799",
                "302844728349091177700705063726493098126",
                "303902448900760352504384585839824255724",
                "62374437545604166718928973611909502278"
            ]
        },
        "deprecated": false
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.14.7