5.5

CVE-2025-39737

EPSS 0.01%
Veröffentlicht 11.09.2025 16:52:12
Zuletzt bearbeitet 27.01.2026 16:30:00
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()

A soft lockup warning was observed on a relative small system x86-64
system with 16 GB of memory when running a debug kernel with kmemleak
enabled.

  watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]

The test system was running a workload with hot unplug happening in
parallel.  Then kemleak decided to disable itself due to its inability to
allocate more kmemleak objects.  The debug kernel has its
CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.

The soft lockup happened in kmemleak_do_cleanup() when the existing
kmemleak objects were being removed and deleted one-by-one in a loop via a
workqueue.  In this particular case, there are at least 40,000 objects
that need to be processed and given the slowness of a debug kernel and the
fact that a raw_spinlock has to be acquired and released in
__delete_object(), it could take a while to properly handle all these
objects.

As kmemleak has been disabled in this case, the object removal and
deletion process can be further optimized as locking isn't really needed. 
However, it is probably not worth the effort to optimize for such an edge
case that should rarely happen.  So the simple solution is to call
cond_resched() at periodic interval in the iteration loop to avoid soft
lockup.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 14

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 5.4.1 < 5.4.297

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.241

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.190

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.149

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.103

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.43

Linux ≫ Linux Kernel Version >= 6.13 < 6.15.11

Linux ≫ Linux Kernel Version >= 6.16 < 6.16.2

Linux ≫ Linux Kernel Version5.4 Update-

Linux ≫ Linux Kernel Version5.4 Updaterc4

Linux ≫ Linux Kernel Version5.4 Updaterc5

Linux ≫ Linux Kernel Version5.4 Updaterc6

Linux ≫ Linux Kernel Version5.4 Updaterc7

Linux ≫ Linux Kernel Version5.4 Updaterc8

Linux ≫ Linux Kernel Version6.17 Updaterc1

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.01

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

https://git.kernel.org/stable/c/9f1f4e95031f84867c5821540466d62f88dab8ca

Patch

https://git.kernel.org/stable/c/1ef72a7fedc5bca70e8cc980985790de10d407aa

Patch

https://git.kernel.org/stable/c/a04de4c40aab9b338dfa989cf4aec70fd187eeb2

Patch

https://git.kernel.org/stable/c/f014c10d190b92aad366e56b445daffcd1c075e4

Patch

https://git.kernel.org/stable/c/e21a3ddd58733ce31afcb1e5dc3cb80a4b5bc29b

Patch

https://git.kernel.org/stable/c/8d2d22a55ffe35c38e69795468a7addd1a80e9ce

Patch

https://git.kernel.org/stable/c/926092268efdf1ed7b55cf486356c74a9e7710d1

Patch

https://git.kernel.org/stable/c/9b80430c194e4a114dc663c1025d56b4f3d0153d

Patch

https://git.kernel.org/stable/c/d1534ae23c2b6be350c8ab060803fbf6e9682adc

Patch

https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-39737

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-39737

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-39737

EUVD