CVE-2025-37865: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37865 is a vulnerability discovered in the Linux kernel, specifically affecting the net: dsa: mv88e6xxx component. The issue was publicly disclosed on May 9, 2025, and involves a bug when deleting VLANs on systems where MST (Multiple Spanning Tree) is unsupported (NVD, Debian Tracker).

The vulnerability occurs in the mv88e6xxx_port_vlan_leave() function when it calls mv88e6xxx_mst_put(). The function attempts to find an MST entry in &chip->msts associated with the SID but fails with -ENOENT error. The root cause is that some chip->info->ops->vtu_getnext() implementations do not populate vlan.sid, leading to the use of uninitialized stack memory. The issue has been assigned a CVSS v3.1 score of 5.5 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability affects systems using the mv88e6xxx driver for network switching, particularly when attempting to delete bridge VLANs from user ports. The impact is primarily related to system functionality, causing operations to fail with -ENOENT errors on affected devices (Debian Tracker).

The issue has been fixed in various Linux kernel versions across different distributions. Debian has released fixes in version 6.1.135-1 for bookworm (security) and 6.12.25-1 for trixie. The fix involves both zero-initializing the vlan structure and adding a test for mv88e6xxx_has_stu() inside mv88e6xxx_mst_put() (Debian Tracker).