CVE-2025-37877: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37877 is a vulnerability discovered in the Linux kernel's IOMMU (Input/Output Memory Management Unit) subsystem. The vulnerability was disclosed on May 9, 2025, affecting various Linux distributions including Debian and Red Hat Enterprise Linux. The issue specifically relates to improper cleanup of IOMMU-DMA operations when the iommu_device_register() encounters an error (NVD, Wiz).

The vulnerability occurs during the execution of iommu_device_register() when it encounters an error. While it tears down already-configured groups and default domains, it fails to properly clean up devices that remain connected to IOMMU-DMA. This behavior has been historically inconsistent across architectures and drivers. The vulnerability has been assigned a CVSS v3.1 base score of 5.5, with a Local attack vector, Low attack complexity, and requiring Low privileges (Red Hat).

The primary impact of this vulnerability is system instability and potential crashes in the IOMMU-DMA subsystem. While DMA functionality may not work properly in cases where an IOMMU driver fails to probe, the incomplete cleanup can lead to undefined behavior and system crashes (Wiz).

The vulnerability has been fixed in Linux kernel version 6.12.27-1 for Debian systems. Red Hat Enterprise Linux 9 has deferred the fix for both kernel and kernel-rt packages. Various Linux distributions are in the process of backporting the fix to their supported kernel versions (Debian Tracker, Red Hat).