CVE-2025-37808: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37808 is a vulnerability discovered in the Linux kernel's crypto subsystem, specifically affecting the null algorithm implementation. The vulnerability was disclosed on May 8, 2025, and impacts various Linux distributions and their kernel versions. The issue relates to the use of mutex instead of spin locks in protecting the default null algorithm, which could be problematic when the algorithm is freed in softirq context through af_alg (NVD).

The vulnerability stems from an implementation issue in the Linux kernel's crypto subsystem where mutex was used instead of spin locks to protect the default null algorithm. The technical concern arises because the null algorithm may be freed in softirq context through af_alg, making the use of mutexes inappropriate for this protection mechanism. The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Medium) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability has been rated as having a Medium severity impact. According to the CVSS scoring, while there is no impact on confidentiality or integrity, there is a potential for high impact on availability. The vulnerability requires local access and low privileges to exploit, with no user interaction needed (Red Hat).

The vulnerability has been addressed in various Linux distributions with different statuses. Ubuntu has marked it as 'Vulnerable' across multiple recent versions (22.04 LTS, 24.04 LTS, 24.10, 25.04), while some older versions (16.04 LTS, 18.04 LTS) are marked as 'Ignored ESM criteria'. Red Hat has deferred fixes for Red Hat Enterprise Linux 9, while versions 6, 7, and 8 are out of support scope (Ubuntu, Red Hat).