CVE-2025-37827: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-37827 is a vulnerability discovered in the Linux kernel affecting the BTRFS file system's zoned mode functionality, specifically when handling RAID1 block groups. The vulnerability was disclosed on May 8, 2025, and affects various Linux distributions including Ubuntu and Debian systems (NVD, Wiz).

The vulnerability manifests when a RAID1 block-group is created and a write pointer mismatch between the disks in the RAID set is detected. In this scenario, BTRFS sets the allocoffset to the length of the block group, marking it as full. The issue occurs during conversion from the default metadata profile DUP to a RAID1 profile on two disks, leading to a NULL pointer dereference in _btrfsaddfreespacezoned(). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (RedHat).

When exploited, this vulnerability results in a NULL pointer dereference that can cause a kernel panic, potentially leading to system crashes and denial of service conditions. The issue specifically affects systems using BTRFS with zoned storage devices in RAID1 configuration (Wiz).

The vulnerability has been resolved in the Linux kernel through patches that address the write pointer mismatch handling in RAID1 block groups. Users are advised to update their Linux kernel to a version that includes these fixes. Several distributions including Ubuntu and Red Hat have released updates to address this vulnerability (Wiz).