CVE-2025-37960: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37960 was discovered and published on May 20, 2025, affecting the Linux kernel. The vulnerability involves a memory allocation issue in the memblock_double_array() function where memory ranges returned by memblock_find_in_range() may not be properly accepted before use (NVD, Wiz).

The vulnerability occurs when increasing the array size in memblock_double_array() and the slab is not yet available. A call to memblock_find_in_range() is used to reserve/allocate memory, but the range returned may not have been accepted. This issue particularly affects kernels prior to v6.12, where the accept_memory() interface used 'start' and 'end' parameters instead of 'start' and 'size'. The vulnerability has been assigned a CVSS v3.1 score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (Red Hat).

The vulnerability can result in a system crash when booting an SNP guest, as demonstrated by crash logs showing memory access issues and register state information. This affects the system's stability and availability during the boot process (Wiz).

The issue has been resolved by implementing a fix that calls accept_memory() on the memory range returned before the slab is available. For systems running kernels prior to v6.12, the accept_memory() call must be adjusted to use 'start + size' for the 'end' parameter due to the different interface requirements (NVD).