CVE-2025-37741: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37741 is a vulnerability discovered in the Linux kernel's JFS (Journaling File System) component, reported on May 1, 2025. The vulnerability involves improper handling of nlink values when copying from disk inodes (NVD, Debian Tracker).

The vulnerability occurs when calling 'ioctl$LOOP_SET_STATUS64' with an offset value of 4 that doesn't match the mounted loop device, causing the mounted loop device mapping to be invalidated. When creating a directory and inode of iag in diReadSpecial(), the page of fixed disk inode (AIT) is read in raw mode in read_metapage(). The returned metapage data is corrupted, causing a nlink value of 0 to be assigned to the iag inode during copy_from_dinode() execution, ultimately resulting in a deadlock when entering diFree(). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability leads to a deadlock condition in the Linux kernel's JFS implementation, potentially causing system instability and denial of service. The issue specifically affects the filesystem's ability to properly handle inode operations, which could impact system reliability and performance (Wiz).

The vulnerability has been resolved in the Linux kernel by implementing a check for the nlink value of dinode before setting the iag inode. Fixed versions are available in various distributions, with Debian bookworm (security) version 6.1.135-1 containing the fix. Additionally, Debian trixie (6.12.25-1) and sid (6.12.27-1) versions have also been patched (Debian Tracker).