CVE-2025-37966
MEDIUMCVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL
When userspace does PR_SET_TAGGED_ADDR_CTRL, but Supm extension is not available, the kernel crashes:
Oops - illegal instruction [#1] [snip] epc : set_tagged_addr_ctrl+0x112/0x15a ra : set_tagged_addr_ctrl+0x74/0x15a epc : ffffffff80011ace ra : ffffffff80011a30 sp : ffffffc60039be10 [snip] status: 0000000200000120 badaddr: 0000000010a79073 cause: 0000000000000002 set_tagged_addr_ctrl+0x112/0x15a __riscv_sys_prctl+0x352/0x73c do_trap_ecall_u+0x17c/0x20c andle_exception+0x150/0x15c
Fix it by checking if Supm is available.
AnalysisAI
A denial-of-service vulnerability exists in the Linux kernel's RISC-V architecture implementation where improper validation of the PR_SET_TAGGED_ADDR_CTRL prctl system call causes a kernel crash when the Supm (Supervisor User Memory) extension is not available. Affected systems are Linux kernel versions including 6.15-rc1 through 6.15-rc5 and potentially earlier versions across all RISC-V platforms. A local attacker with unprivileged user access can trigger an illegal instruction exception, crashing the kernel and denying service to all users, with an EPSS exploitation probability of only 0.11 percent indicating low real-world exploitation likelihood despite the availability of a vendor patch.
Technical ContextAI
The vulnerability resides in the RISC-V-specific implementation of the prctl system call handler, specifically in the set_tagged_addr_ctrl function within the Linux kernel's architecture-dependent code. The Supm extension is a RISC-V ISA (Instruction Set Architecture) feature that enables supervisor-mode virtual memory features for user-space processes. The root cause is the absence of a runtime check to verify whether the Supm extension is present before executing Supm-specific instructions during the PR_SET_TAGGED_ADDR_CTRL prctl operation. When userspace invokes this prctl without the extension being available, the kernel attempts to execute an illegal instruction, triggering an exception (illegal instruction fault with cause code 0x02) that crashes the kernel. This represents an improper input validation issue at the architecture abstraction layer where kernel privilege operations are not properly gated by capability checks. The affected CPE indicates all Linux kernel versions with RISC-V support are potentially vulnerable, with confirmed impact on 6.15-rc series releases.
RemediationAI
Upgrade the Linux kernel to a version containing the fix from commit 4b595a2f5656cd45d534ed2160c94f7662adefe5 or commit ae08d55807c099357c047dba17624b09414635dd (available in stable branch releases following these commits). For RISC-V systems running 6.15-rc or earlier kernels, apply the upstream patch immediately or wait for the stable kernel release that incorporates this fix. The patch adds a runtime check for Supm extension availability before executing Supm-specific instructions within set_tagged_addr_ctrl, preventing the illegal instruction exception. Until patching is feasible, restrict local system access via standard OS-level controls (SELinux, AppArmor) to limit which users can invoke prctl, and monitor kernel logs for illegal instruction faults that would indicate exploitation attempts. The fix is minimal (few lines of code) and carries negligible performance impact, making rapid deployment advisable for any RISC-V Linux deployments in production.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today