CVE-2025-39763: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39763 is a vulnerability discovered in the Linux kernel's ACPI APEI (Advanced Configuration and Power Interface Advanced Platform Error Interface) component, disclosed on September 11, 2025. The vulnerability affects the error handling mechanism in the Linux kernel, specifically related to how synchronous memory errors are processed (NVD).

The vulnerability occurs when a user-space process triggers a 2-bit uncorrected error, causing the CPU to take a synchronous error exception (such as Synchronous External Abort on Arm64). While the kernel normally queues a memoryfailure() work to handle such errors by poisoning and unmapping the affected page, the vulnerability manifests when abnormal synchronous errors occur (like invalid PA, unexpected severity, no memory failure config support, or invalid GUID section). In these cases, no memoryfailure() work is queued, leading to potential system instability. The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Moderate) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

When exploited, this vulnerability can cause the user-space process to repeatedly trigger Synchronous External Abort (SEA) exceptions. This continuous loop can exceed the platform firmware threshold or trigger a kernel hard lockup, ultimately resulting in a system reboot. The impact primarily affects system availability, with no direct impact on confidentiality or integrity (NVD).

The fix involves implementing a force kill mechanism if no memory_failure() work is queued for synchronous errors. Red Hat has marked this vulnerability as 'Fix deferred' for multiple versions including Red Hat Enterprise Linux 7, 8, 9, and their RT (Real-Time) kernel variants (Red Hat).