CVE-2025-37842: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37842 is a vulnerability discovered in the Linux kernel affecting the Freescale Quad SPI (fsl-qspi) driver. The vulnerability was disclosed on May 9, 2025, and involves improper resource management in the driver removal function. The issue specifically affects systems using the Freescale Quad SPI driver, particularly on i.MX8MQ platforms (Wiz Report, NVD).

The vulnerability stems from a mismatch in resource management where the driver uses devm APIs to manage clock, interrupt, and resources and register the SPI controller. The legacy remove function is called first during device detach, which can trigger a kernel panic. The issue can be triggered by executing 'echo 30bb0000.spi > /sys/bus/platform/drivers/fsl-quadspi/unbind'. The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Medium severity) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

When exploited, this vulnerability results in a kernel panic on affected systems, potentially causing system crashes and denial of service conditions. This primarily affects systems using the Freescale Quad SPI driver, particularly on i.MX8MQ platforms (Wiz Report).

The fix involves dropping the remove function and using devmaddactionorreset() for driver cleanup to ensure proper release sequence. Red Hat Enterprise Linux 9 has deferred the fix, while earlier versions (RHEL 6, 7, and 8) are not affected (Red Hat).