CVE-2025-37996: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37996 is a vulnerability discovered in the Linux kernel, specifically affecting the KVM (Kernel-based Virtual Machine) component on ARM64 architecture. The vulnerability was disclosed on May 29, 2025, and involves an uninitialized memcache pointer in the usermemabort() function. The issue stems from a commit (fce886a60207) that made the initialization of the local memcache variable conditional, potentially leaving a codepath where it could be used uninitialized via kvmpgtablestage2_map() (NVD CVE, Wiz Report).

The vulnerability occurs in the ARM64 KVM implementation where a stage-2 allocation could fail without transition via a permission fault or dirty logging due to an uninitialized memcache pointer. The issue has been assigned a CVSS v3.1 base score of 5.5 (Moderate), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (Wiz Report).

The vulnerability primarily affects the availability of the system, particularly in scenarios involving stage-2 memory allocations in the KVM ARM64 implementation. The CVSS scoring indicates no impact on confidentiality or integrity, but a high impact on availability (Wiz Report).

Red Hat has deferred the fix for Red Hat Enterprise Linux 10, while versions 6 through 9 are not affected by this vulnerability. The issue has been resolved in the mainline Linux kernel through patches that ensure the memcache pointer is always properly initialized (Wiz Report).