CVE-2025-37774: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37774 is a vulnerability discovered in the Linux kernel's slab memory allocator, specifically related to the initialization of slab->obj_exts field in newly allocated slab pages. The issue was identified when crashes were reported during buffered I/O tests with __alloc_tagging_slab_alloc_hook() at the top of the crash call stack. The vulnerability was disclosed on May 1, 2025, affecting the Linux kernel's memory management subsystem (NVD).

The vulnerability stems from an uninitialized field (slab->obj_exts) in newly allocated slab pages. The bits in this field were found to be set outside the range used by page_memcg_data_flags and objext_flags, and were not properly masked out by slab_obj_exts() when obtaining the pointer stored in slab->obj_exts. This resulted in invalid address dereference with low bits of slab->obj_exts being set, leading to kernel NULL pointer dereference at virtual address 0x10 and subsequent kernel panic (NVD).

The vulnerability causes system crashes and kernel panics when triggered, affecting system stability and availability. The issue manifests during buffered I/O operations, potentially impacting system performance and reliability. When triggered, it results in a kernel panic with the message 'Oops: Fatal exception' and stops secondary CPUs (NVD).

The issue has been resolved by ensuring proper initialization of slab->obj_exts during slab page allocation. The fix involves initializing the field during the slab page allocation process to prevent invalid address dereference (NVD).