Linux Kernel up to 6.14.5/6.15-rc4 module_memory_alloc allocation of resources

Summaryinfo

A vulnerability described as problematic has been identified in Linux Kernel up to 6.14.5/6.15-rc4. This issue affects the function module_memory_alloc. The manipulation results in allocation of resources. This vulnerability is known as CVE-2025-37898. No exploit is available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.14.5/6.15-rc4. Affected is the function module_memory_alloc. The manipulation with an unknown input leads to a allocation of resources vulnerability. CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. The impact remains unknown. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: powerpc64/ftrace: fix module loading without patchable function entries get_stubs_size assumes that there must always be at least one patchable function entry, which is not always the case (modules that export data but no code), otherwise it returns -ENOEXEC and thus the section header sh_size is set to that value. During module_memory_alloc() the size is passed to execmem_alloc() after being page-aligned and thus set to zero which will cause it to fail the allocation (and thus module loading) as __vmalloc_node_range() checks for zero-sized allocs and returns null: [ 115.466896] module_64: cast_common: doesn't contain __patchable_function_entries. [ 115.469189] ------------[ cut here ]------------ [ 115.469496] WARNING: CPU: 0 PID: 274 at mm/vmalloc.c:3778 __vmalloc_node_range_noprof+0x8b4/0x8f0 ... [ 115.478574] ---[ end trace 0000000000000000 ]--- [ 115.479545] execmem: unable to allocate memory Fix this by removing the check completely, since it is anyway not helpful to propagate this as an error upwards.

The advisory is shared for download at git.kernel.org. This vulnerability is traded as CVE-2025-37898 since 04/16/2025. The exploitability is told to be difficult. There are known technical details, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 242283 (Ubuntu 24.04 LTS : Linux kernel (OEM) vulnerabilities (USN-7650-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.14.6 or 6.15-rc5 eliminates this vulnerability. Applying the patch 358b559afec7806b9d01c2405b490e782c347022/534f5a8ba27863141e29766467a3e1f61bcb47ac is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (242283) and CERT Bund (WID-SEC-2025-1114). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• Dell Avamar
• Open Source Linux Kernel
• Dell NetWorker
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.14.0
• 6.14.1
• 6.14.2
• 6.14.3
• 6.14.4
• 6.14.5
• 6.15-rc1
• 6.15-rc2
• 6.15-rc3
• 6.15-rc4

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion