CVE-2025-37881: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37881 is a vulnerability discovered in the Linux kernel's USB gadget driver for Aspeed devices, specifically in the astvhubinitdev() function. The vulnerability was disclosed on May 9, 2025, and involves a potential NULL pointer dereference issue where the variable d->name, returned by devmkasprintf(), could be NULL without proper checking (NVD, Wiz).

The vulnerability exists in the USB gadget driver's Aspeed implementation where a missing NULL pointer check in the astvhubinitdev() function could lead to a NULL pointer dereference. The issue is similar to a previous fix implemented in commit 3027e7b15b02 for iceptp.c. According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability has been assessed as having a moderate severity impact. If exploited, it could lead to a system crash due to the NULL pointer dereference, potentially causing a denial of service condition. The impact is limited to availability with no direct effects on confidentiality or integrity (Red Hat).

A fix has been implemented by adding a NULL pointer check in the astvhubinit_dev() function. Red Hat has confirmed that several of their products, including Red Hat Enterprise Linux 6, 7, 8, and 9, along with their RT variants, are not affected by this vulnerability (Red Hat).