CVE-2025-37857: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37857 is a vulnerability discovered in the Linux kernel affecting the SCSI tape driver (st). The vulnerability was published on May 9, 2025, and involves an array overflow issue in the st_setup() function. The vulnerability specifically relates to the use of a fixed array size instead of following the parameters size in the SCSI tape driver implementation (NVD, Wiz).

The vulnerability stems from an array overflow condition in the st_setup() function of the SCSI tape driver. The issue occurs due to the use of a fixed array size instead of following the parameters size. A fix has been implemented to change the array size to properly follow the parms size. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability affects various Linux distributions including Red Hat Enterprise Linux 9 and Debian systems. In Debian, multiple versions are affected including bullseye (5.10.223-1 and 5.10.234-1) and bookworm (6.1.129-1). The vulnerability's impact is primarily focused on availability, as indicated by the CVSS metrics showing high impact on availability but no impact on confidentiality or integrity (Debian Tracker, Red Hat).

Fixed versions have been released for several distributions. Debian has implemented fixes in bookworm (6.1.135-1), trixie (6.12.25-1), and sid (6.12.27-1). For Red Hat Enterprise Linux 9, the fix status is currently deferred. Users are advised to upgrade to the fixed versions when available (Debian Tracker, Wiz).