CVE-2025-39737: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39737 is a vulnerability in the Linux kernel's memory leak detector (kmemleak) component, discovered and disclosed on September 11, 2025. The issue affects the kmemleak cleanup functionality in debug kernels, specifically impacting x86-64 systems running with kmemleak enabled (NVD).

The vulnerability manifests as a soft lockup in the kmemleakdocleanup() function when running on x86-64 systems with 16GB of memory and debug kernel enabled. The issue occurs when kmemleak disables itself due to inability to allocate more objects, with CONFIGDEBUGKMEMLEAKMEMPOOLSIZE set to 40,000. The soft lockup happens during the cleanup process where objects are removed and deleted one-by-one in a loop via a workqueue, requiring acquisition and release of rawspinlock in delete_object(). The vulnerability has been assigned a CVSS v3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (Red Hat).

The vulnerability can cause system performance degradation through soft lockups on affected systems, particularly impacting CPU #8 with documented cases of 33-second stuck periods. While the impact is limited to debug kernels with kmemleak enabled, it can affect system availability and performance in development and testing environments (NVD).

The solution implemented involves calling cond_resched() at periodic intervals in the iteration loop to avoid soft lockup. While optimization of the object removal and deletion process was considered, it was deemed unnecessary for this edge case. The fix has been deferred for various versions of Red Hat Enterprise Linux including versions 6, 7, 8, and 9 (Red Hat).