CVE-2025-37950: 
Linux Ubuntu vulnerability analysis and mitigation

A vulnerability has been identified in the Linux kernel's OCFS2 filesystem implementation, tracked as CVE-2025-37950. The issue was discovered and disclosed on May 20, 2025, affecting the folio allocation mechanism in OCFS2. The vulnerability specifically relates to changes introduced by commits 7e119cff9d0a and 9a5e08652dc4b which converted the filesystem's page handling to use folios (NVD, Wiz).

The vulnerability stems from improper error handling in the folio array allocation process. When allocation fails with -ENOMEM (out of memory) error, the code saves this error value in the folio array and calls the folio array free code. However, the free code expects either valid folio pointers or NULL values. When it encounters the -ENOMEM value instead, it results in a kernel panic. The vulnerability has been assigned a CVSS v3.1 score of 7.0 with vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (RedHat).

When triggered, this vulnerability causes a kernel panic, which results in an immediate system crash. This can lead to system downtime and potential data loss due to the abrupt system shutdown (Wiz).

The vulnerability has been fixed by modifying the error handling code to NULL the error folio entry instead of storing the -ENOMEM value. The fix is available in the Linux kernel repository through specific commits (NVD).