CVE-2025-37790: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37790 is a vulnerability discovered in the Linux kernel's MCTP (Management Component Transport Protocol) networking subsystem, first reported on May 1, 2025. The vulnerability affects the socket handling during bind lookup operations under RCU (Read-Copy-Update) (NVD, Wiz).

The vulnerability specifically affects the MCTP networking subsystem in the Linux kernel where bind lookup operations run under RCU. The issue occurs when a socket could potentially be deallocated during a lookup operation. The technical solution involves setting the SOCK_RCU_FREE flag to ensure proper socket lifetime management during RCU operations. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability affects various Linux kernel versions across different distributions. According to the Debian Security Tracker, several releases are impacted including bookworm (6.1.129-1) and trixie (6.12.22-1) versions, while some older versions like bullseye are not affected due to the vulnerable code not being present (Debian Tracker).

Fixed versions have been released for various Linux distributions. Debian has addressed the vulnerability in bookworm with version 6.1.135-1 and in sid with version 6.12.25-1. The bullseye release is noted as not affected since the vulnerable code is not present in that version. Red Hat Enterprise Linux versions 6, 7, 8, and 9 are reported as not affected (Debian Tracker, Red Hat).