CVE-2025-37798: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37798 is a vulnerability discovered in the Linux kernel, specifically affecting the codel (Controlled Delay) queuing discipline component. The vulnerability was disclosed on May 02, 2025, and involves the removal of a queue length check before calling qdisctreereduce_backlog() function (NVD).

The vulnerability relates to the removal of the sch->q.qlen check before qdisctreereducebacklog() function call. After making all ->qlennotify() callbacks idempotent, it became safe to remove the check of qlen!=0 from both fqcodeldequeue() and codelqdiscdequeue() functions. According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability affects multiple versions of the Linux kernel across different distributions. According to the Debian Security Tracker, several versions were impacted including bullseye (5.10.223-1, 5.10.234-1), bookworm (6.1.137-1), and trixie/sid (6.12.27-1) (Debian Tracker).

Fixed versions have been released to address this vulnerability. The issue has been resolved in Linux kernel version 6.1.135-1 for Debian bookworm and 6.12.25-1 for Debian sid. For Red Hat Enterprise Linux 9, the fix has been deferred for both kernel and kernel-rt packages (Debian Tracker, Red Hat).