CVE-2025-37812: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37812 is a vulnerability discovered in the Linux kernel's cdns3 USB driver, reported on May 8, 2025. The vulnerability affects the Network Control Model (NCM) gadget functionality and involves a deadlock condition similar to one previously fixed in the cdnsp driver (NVD).

The vulnerability occurs in the cdns3 driver when using the NCM gadget. The deadlock condition arises because the threaded interrupt handler can be preempted by a softirq, while both are protected by the same spinlock. This issue becomes particularly apparent under PREEMPT_RT configurations and can be triggered by heavy network traffic, specifically when using 'iperf --bidir' over an NCM ethernet link (NVD).

The vulnerability affects multiple Linux distributions including Ubuntu versions 20.04 LTS through 25.04, and various kernel variants including linux-aws, linux-azure, linux-gcp, and linux-bluefield. The issue has been rated as Medium severity in Ubuntu systems (Ubuntu).

The fix involves disabling softirq during the threaded interrupt handler execution to prevent the deadlock condition. This solution has been implemented in various Linux distributions, though some versions remain vulnerable and await patches (NVD).