CVE-2025-37840: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37840 is a vulnerability discovered in the Linux kernel's MTD NAND subsystem, specifically affecting the Broadcom NAND controller driver (brcmnand). The issue was disclosed on May 9, 2025, and involves an uninitialized struct nand_operation that performs chip select field validation during power management (PM) resume operations (NVD, Wiz).

The vulnerability manifests as a warning during PM resume operations in the drivers/mtd/nand/raw/internals.h file at line 139. The issue occurs when the system checks the chip select field using WARN_ON(op->cs >= nanddev_ntargets(&chip->base)) with an uninitialized struct nand_operation. The vulnerability has been assigned a CVSS v3.1 score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (RedHat).

The vulnerability primarily affects system logging and debugging functionality, resulting in warning messages during system resume operations. The impact is considered moderate, with no direct security exploits reported (Wiz, RedHat).

The vulnerability has been resolved by implementing a fix that uses the higher-level nand_reset(chip, chipnr) function with chipnr = 0 during PM resume operations. This modification ensures compliance with the controller's support for single die NAND chips, replacing the previous use of nand_reset_op() (NVD).