CVE-2025-37833: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37833 is a vulnerability discovered in the Linux kernel's network interface unit (NIU) driver, specifically affecting the MSIX entry data fields handling in the niutrymsix() function. The vulnerability was disclosed on May 8, 2025, primarily affecting SPARC systems running Linux kernels (NVD, Wiz).

The vulnerability occurs when registers in MSIX table entries are read before the entries' ENTRYDATA register is written to. This improper initialization sequence causes a fatal trap on SPARC systems. The issue requires setting PCIDEVFLAGSMSIXTOUCHENTRYDATAFIRST on the struct pci_dev to work around a hardware or firmware bug. According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 base score of 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (Red Hat).

When triggered, the vulnerability results in a non-resumable error that leads to a kernel panic, effectively causing a system crash. This creates a denial of service condition on affected SPARC systems running the Linux kernel. The issue only needs to happen once after power up, and rebooting into a kernel lacking this fix will not cause the trap (NVD, Wiz).

The vulnerability has been resolved in the Linux kernel through a patch that modifies the niutrymsix() function to properly handle MSIX ENTRYDATA fields. The fix ensures that the ENTRYDATA register is written to before any other registers in the entry are read. Ubuntu has marked this as a medium priority issue and is working on updates for affected versions (Ubuntu, Wiz).