CVE-2025-37908: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37908 is a vulnerability discovered in the Linux kernel related to memory management, specifically affecting the kernel's slab memory allocator subsystem. The vulnerability was identified and disclosed on May 20, 2025, impacting memory allocation profiling functionality (NVD, Wiz).

The vulnerability occurs when memory allocation profiling is disabled at runtime or due to an error. When shutdownmemprofiling() is called, previously allocated slab->objexts remains uncleaned. The issue arises because unaccountslab() doesn't clear these allocations when memallocprofiling_enabled() returns false. This leads to a 'Bad page state' error and pages being incorrectly charged to cgroups. The vulnerability has been assigned a CVSS v3.1 score of 7.0 with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (RedHat).

The vulnerability can result in system instability and resource accounting issues, specifically manifesting as 'Bad page state' errors and incorrect page charging to cgroups. This can affect system reliability and proper resource management (Wiz).

The issue has been resolved through a patch that ensures slab->objexts is always properly cleaned up in unaccountslab(), regardless of the memory allocation profiling state. The fix includes folding needslabobj_ext() into its only user (Ubuntu).