CVE-2025-37991 Affecting linux-6.1 package, versions <6.1.140-1~deb11u1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN11-LINUX61-11786170
- published13 Aug 2025
- disclosed20 May 2025
Introduced: 20 May 2025
CVE-2025-37991 (opens in a new tab)How to fix?
Upgrade Debian:11 linux-6.1 to version 6.1.140-1~deb11u1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream linux-6.1 package and not the linux-6.1 package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
parisc: Fix double SIGFPE crash
Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately.
When the T bit is set, an assist exception trap occurs when when the co-processor encounters any floating-point instruction except for a double store of register %fr0. The latter cancels all pending traps. Let's fix this by clearing the Trap (T) bit in the FP status register before returning to the signal handler in userspace.
The issue can be reproduced with this test program:
root@parisc:~# cat fpe.c
static void fpe_func(int sig, siginfo_t *i, void *v) { sigset_t set; sigemptyset(&set); sigaddset(&set, SIGFPE); sigprocmask(SIG_UNBLOCK, &set, NULL); printf("GOT signal %d with si_code %ld\n", sig, i->si_code); }
int main() { struct sigaction action = { .sa_sigaction = fpe_func, .sa_flags = SA_RESTART|SA_SIGINFO }; sigaction(SIGFPE, &action, 0); feenableexcept(FE_OVERFLOW); return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308); }
root@parisc:# gcc fpe.c -lm
root@parisc:# ./a.out
Floating point exception
root@parisc:~# strace -f ./a.out execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars /) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=81921024, rlim_max=RLIM_INFINITY}) = 0 ... rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} --- --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} --- +++ killed by SIGFPE +++ Floating point exception
References
- https://security-tracker.debian.org/tracker/CVE-2025-37991
- https://git.kernel.org/stable/c/6a098c51d18ec99485668da44294565c43dbc106
- https://git.kernel.org/stable/c/6c639af49e9e5615a8395981eaf5943fb40acd6f
- https://git.kernel.org/stable/c/cf21e890f56b7d0038ddaf25224e4f4c69ecd143
- https://git.kernel.org/stable/c/de3629baf5a33af1919dec7136d643b0662e85ef
- https://git.kernel.org/stable/c/df3592e493d7f29bae4ffde9a9325de50ddf962e
- https://git.kernel.org/stable/c/ec4584495868bd465fe60a3f771915c0e7ce7951
- https://git.kernel.org/stable/c/2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6
- https://git.kernel.org/stable/c/757ba4d17b868482837c566cfefca59e2296c608