{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T15:25:53.571","vulnerabilities":[{"cve":{"id":"CVE-2025-37760","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-05-01T14:15:38.110","lastModified":"2025-11-06T21:44:26.153","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vma: add give_up_on_oom option on modify/merge, use in uffd release\n\nCurrently, if a VMA merge fails due to an OOM condition arising on commit\nmerge or a failure to duplicate anon_vma's, we report this so the caller\ncan handle it.\n\nHowever there are cases where the caller is only ostensibly trying a\nmerge, and doesn't mind if it fails due to this condition.\n\nSince we do not want to introduce an implicit assumption that we only\nactually modify VMAs after OOM conditions might arise, add a 'give up on\noom' option and make an explicit contract that, should this flag be set, we\nabsolutely will not modify any VMAs should OOM arise and just bail out.\n\nSince it'd be very unusual for a user to try to vma_modify() with this flag\nset but be specifying a range within a VMA which ends up being split (which\ncan fail due to rlimit issues, not only OOM), we add a debug warning for\nthis condition.\n\nThe motivating reason for this is uffd release - syzkaller (and Pedro\nFalcato's VERY astute analysis) found a way in which an injected fault on\nallocation, triggering an OOM condition on commit merge, would result in\nuffd code becoming confused and treating an error value as if it were a VMA\npointer.\n\nTo avoid this, we make use of this new VMG flag to ensure that this never\noccurs, utilising the fact that, should we be clearing entire VMAs, we do\nnot wish an OOM event to be reported to us.\n\nMany thanks to Pedro Falcato for his excellent analysis and Jann Horn for\nhis insightful and intelligent analysis of the situation, both of whom were\ninstrumental in this fix."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/vma: añadir la opción give_up_on_oom en modificar/fusionar, usar en la versión uffd Actualmente, si una fusión de VMA falla debido a una condición OOM que surge en la fusión de confirmación o un fallo al duplicar anon_vma, informamos de ello para que el llamador pueda gestionarlo. Sin embargo, hay casos en los que el llamador solo está intentando una fusión ostensiblemente y no le importa si falla debido a esta condición. Dado que no queremos introducir una suposición implícita de que solo modificamos realmente los VMA después de que puedan surgir condiciones OOM, agregue una opción 'renunciar a oom' y haga un contrato explícito de que, si se establece este indicador, no modificaremos en absoluto ningún VMA si surge OOM y simplemente nos retiraremos. Dado que sería muy inusual que un usuario intentara usar vma_modify() con este indicador activado, pero especificando un rango dentro de un VMA que termina dividiéndose (lo cual puede fallar debido a problemas con rlimit, no solo por OOM), añadimos una advertencia de depuración para esta condición. El motivo es la versión de uffd: syzkaller (y el astuto análisis de Pedro Falcato) encontró una forma en la que un fallo inyectado en la asignación, que desencadena una condición OOM al fusionar las confirmaciones, provocaba que el código de uffd se confundiera y tratara un valor de error como si fuera un puntero a un VMA. Para evitar esto, utilizamos este nuevo indicador VMG para asegurarnos de que esto nunca ocurra, aprovechando que, si borramos VMAs completas, no queremos que se nos informe de un evento OOM. Muchas gracias a Pedro Falcato por su excelente análisis y a Jann Horn por su perspicaz e inteligente análisis de la situación, ambos fundamentales en esta solución."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.19","versionEndExcluding":"6.12.25","matchCriteriaId":"4E18BED3-0115-482C-861A-9ECA8B05EEB2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13.7","versionEndExcluding":"6.14","matchCriteriaId":"87A94BBB-C489-4F0E-AC35-A6E9E1316FCE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14.1","versionEndExcluding":"6.14.4","matchCriteriaId":"26175852-4D93-410C-BC8C-C405F2A9D737"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*","matchCriteriaId":"7DE421BA-0600-4401-A175-73CAB6A6FB4E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*","matchCriteriaId":"1759FFB7-531C-41B1-9AE1-FD3D80E0D920"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*","matchCriteriaId":"AD948719-8628-4421-A340-1066314BBD4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*","matchCriteriaId":"8D465631-2980-487A-8E65-40AE2B9F8ED1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*","matchCriteriaId":"4C9D071F-B28E-46EC-AC61-22B913390211"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/41e6ddcaa0f18dda4c3fadf22533775a30d6f72f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b906c1ad25adce6ff35be19b65a1aa7d960fe1d7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c103a75c61648203d731e3b97a6fbeea4003cb15","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}