CVE-2025-37883 in Linux
Summary
by MITRE • 05/09/2025
In the Linux kernel, the following vulnerability has been resolved:
s390/sclp: Add check for get_zeroed_page()
Add check for the return value of get_zeroed_page() in sclp_console_init() to prevent null pointer dereference. Furthermore, to solve the memory leak caused by the loop allocation, add a free helper to do the free job.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/31/2026
The vulnerability identified as CVE-2025-37883 affects the Linux kernel's s390 architecture implementation, specifically within the SCLP (Service Call Logical Processor) console initialization function. This issue represents a critical security flaw that could potentially lead to system instability or denial of service conditions. The vulnerability manifests in the sclp_console_init() function where proper error handling for memory allocation operations has been insufficiently implemented. The s390 architecture, which is a mainframe computing architecture developed by IBM, relies on SCLP for system management and console communication functionalities. When the kernel attempts to initialize console services on these systems, it must allocate memory pages to support console operations, making this a fundamental component of system operation.
The technical flaw stems from the absence of proper validation for the return value of the get_zeroed_page() function call within the sclp_console_init() context. The get_zeroed_page() function is a kernel memory allocation primitive that returns a pointer to a newly allocated page of memory initialized to zero. When this allocation fails, the function returns NULL, but the current implementation does not check for this condition before proceeding with subsequent operations. This oversight creates a potential null pointer dereference scenario where the kernel code attempts to access memory through a NULL pointer, leading to immediate system termination or kernel panic. The vulnerability is categorized under CWE-476 as a NULL Pointer Dereference, which is a common class of software defects that can result in system crashes and potentially provide attack vectors for malicious actors.
The operational impact of this vulnerability extends beyond simple system crashes, as it could enable adversaries to exploit the memory management flaw to cause persistent denial of service conditions on mainframe systems. In enterprise environments where s390 systems are deployed for critical operations, such as banking, telecommunications, and government services, this vulnerability could result in significant operational disruptions. The memory leak aspect of the vulnerability compounds the issue, as repeated initialization attempts could gradually consume available system memory resources. This progressive memory consumption could lead to system instability over time, making the system increasingly vulnerable to other memory-related failures. The vulnerability affects systems running Linux kernels with s390 architecture support, particularly those implementing console services through SCLP interfaces, which are essential for system monitoring and administrative access.
Mitigation strategies for CVE-2025-37883 should prioritize immediate kernel updates from trusted vendors to address the root cause of the null pointer dereference and memory leak. System administrators should implement comprehensive monitoring of system memory usage and console service stability to detect potential exploitation attempts. The fix requires implementing proper error handling for get_zeroed_page() return values and adding appropriate memory cleanup procedures to prevent resource exhaustion. Organizations should also consider implementing runtime protections such as kernel address space layout randomization and stack canaries to reduce the effectiveness of potential exploitation attempts. Security teams should conduct thorough vulnerability assessments to identify systems running affected kernel versions and prioritize patch deployment based on system criticality and risk exposure. The ATT&CK framework categorizes this vulnerability under T1499.004 as "Endpoint Denial of Service" and T1566.001 as "Phishing" if exploitation involves social engineering to trigger the vulnerable code path, emphasizing the need for comprehensive defensive measures across multiple attack surface areas.