CVE-2025-37849: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37849 was disclosed on May 09, 2025, affecting the Linux kernel's KVM (Kernel-based Virtual Machine) implementation on ARM64 architectures. The vulnerability involves improper cleanup of vGIC (Virtual Generic Interrupt Controller) structures during failed vCPU creation processes (NVD).

The vulnerability occurs when kvmarchvcpu_create() fails to share the vCPU page with the hypervisor. While the error is propagated back to the ioctl, the vGIC vCPU data remains initialized. This implementation flaw has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Wiz, Red Hat).

The vulnerability can lead to two primary security issues: memory leaks when the vCPU is destroyed and potential use-after-free vulnerabilities during redistributor device handling operations. These issues could potentially affect system stability and security in virtualized environments using KVM on ARM64 architectures (Wiz).

The fix involves adding proper cleanup procedures to kvmarchvcpu_create(), ensuring that the vGIC vCPU structures are properly destroyed on error. Red Hat has marked this vulnerability as 'Fix deferred' for Red Hat Enterprise Linux 9 (Red Hat).