CVE-2025-37843: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37843 was disclosed on May 9, 2025, addressing a race condition vulnerability in the Linux kernel's PCI hotplug subsystem. The vulnerability specifically affects the PCI hotplug (pciehp) component and involves issues with hot-removal of nested PCI hotplug ports (NVD, Wiz).

The vulnerability stems from a race condition where a parent hotplug port acquires pci_lock_rescan_remove() and waits for pciehp to unbind from a child hotplug port, while simultaneously the child hotplug port attempts to acquire the same lock to remove its children. The deadlock specifically occurs when the parent acquires the lock first. The issue became more prominent with commit 9d573d19547b, which attempted to detect device replacement during system sleep. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability can result in system deadlocks during PCI device hot-removal operations, particularly affecting systems with nested PCI hotplug ports. The issue is especially problematic when removing multiple Thunderbolt devices during system sleep (Wiz).

The fix involves checking whether the hotplug port itself was hot-removed before checking if its child device was replaced. This solution works because the resume_noirq() callback is invoked in top-down order for the entire hierarchy, allowing parent hotplug ports to mark children as removed using pci_dev_set_disconnected() (NVD).