CVE-2025-37760

MEDIUM EPSS 5.3%
Published May 1, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 1, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: mm/vma: add give_up_on_oom option on modify/merge, use in uffd release Currently, if a VMA merge fails due to an OOM condition arising on commit merge or a failure to duplicate anon_vma's, we report this so the caller can handle it. However there are cases where the caller is only ostensibly trying a merge, and doesn't mind if it fails due to this condition. Since we do not want to introduce an implicit assumption that we only actually modify VMAs after OOM conditions might arise, add a 'give up on oom' option and make an explicit contract that, should this flag be set, we absolutely will not modify any VMAs should OOM arise and just bail out. Since it'd be very unusual for a user to try to vma_modify() with this flag set but be specifying a range within a VMA which ends up being split (which can fail due to rlimit issues, not only OOM), we add a debug warning for this condition. The motivating reason for this is uffd release - syzkaller (and Pedro Falcato's VERY astute analysis) found a way in which an injected fault on allocation, triggering an OOM condition on commit merge, would result in uffd code becoming confused and treating an error value as if it were a VMA pointer. To avoid this, we make use of this new VMG flag to ensure that this never occurs, utilising the fact that, should we be clearing entire VMAs, we do not wish an OOM event to be reported to us. Many thanks to Pedro Falcato for his excellent analysis and Jann Horn for his insightful and intelligent analysis of the situation, both of whom were instrumental in this fix.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
5.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥6.12.19  –  <6.12.25
linuxlinux_kernel*≥6.13.7  –  <6.14
linuxlinux_kernel*≥6.14.1  –  <6.14.4
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.15any
linuxlinux_kernel6.15any

References 3

  • git.kernel.org https://git.kernel.org/stable/c/41e6ddcaa0f18dda4c3fadf22533775a30d6f72f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b906c1ad25adce6ff35be19b65a1aa7d960fe1d7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c103a75c61648203d731e3b97a6fbeea4003cb15
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/41e6ddcaa0f18dda4c3fadf22533775a30d6f72f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b906c1ad25adce6ff35be19b65a1aa7d960fe1d7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c103a75c61648203d731e3b97a6fbeea4003cb15
    Patch