CVE-2025-37878: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37878 is a vulnerability discovered in the Linux kernel's perf/core subsystem, specifically affecting the __free_event() function. The vulnerability was published on May 9, 2025, and impacts various Linux distributions including Debian's bullseye, bookworm, and trixie releases (NVD, Debian Tracker).

The vulnerability stems from a timing issue in the event context handling where WARN_ON_ONCE() could trigger after the initial check passed but before child_event->ctx was assigned. This issue resulted from multiple interacting commits over a 15-year period, affecting how the code handles context assignment and reference counting for performance monitoring events. Red Hat has assigned this vulnerability a CVSS v3.1 score of 7.0 with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (Red Hat, Wiz).

The vulnerability affects multiple Linux distributions and has received high CVSS scores for Confidentiality, Integrity, and Availability, suggesting potential serious consequences if exploited (Wiz).

The vulnerability has been fixed in Debian sid version 6.12.27-1. For Red Hat Enterprise Linux 9, the fix is currently deferred. The solution involves moving the get_ctx(child_ctx) call and the child_event->ctx assignment to occur immediately after the child event is allocated, ensuring that child_event->ctx is non-NULL before any subsequent error path (Debian Tracker, Red Hat).