CVE-2025-37860: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel was identified and assigned CVE-2025-37860, specifically affecting the sfc driver component. The issue involves NULL dereferences in the ef100processdesign_param() function. The vulnerability was disclosed on April 18, 2025, and affects various Linux distributions (NVD, Debian Tracker).

The vulnerability stems from a timing issue where ef100probemain() and ef100checkdesignparams() functions execute before efx->netdev is created, leading to potential NULL dereferences. The issue affects the netifsettsomaxsize() and _segs() calls. The vulnerability has been assigned a CVSS v3.1 score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a moderate severity level (Red Hat XML).

The vulnerability primarily affects system availability, as indicated by the CVSS metrics showing high impact on availability (A:H) while having no direct impact on confidentiality (C:N) or integrity (I:N). The issue requires local access and low privileges to exploit (Red Hat XML).

The vulnerability has been fixed in several Linux distributions. Debian has released fixes in version 5.10.234-1 for bullseye, while some versions remain vulnerable including bookworm and trixie. Red Hat has deferred fixes for Red Hat Enterprise Linux 9, while versions 6 and 7 are not affected (Debian Tracker, Red Hat XML).