CVE-2025-37887: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37887 is a vulnerability discovered in the Linux kernel's pdscore component, disclosed on May 9, 2025. The vulnerability affects the handling of unsupported PDS_CORE_CMD_FW_CONTROL command results in the Linux kernel (NVD, Wiz).

The vulnerability occurs when the FW doesn't support the PDS_CORE_CMD_FW_CONTROL command. The root cause is that the stack variable fw_list is not properly initialized to zero, resulting in fw_list.num_fw_slots containing garbage values from the stack. This leads to the driver attempting to access fw_list.fw_names[i] with an index that exceeds the array size. According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat CVE).

When exploited, this vulnerability can result in the driver printing garbage output at minimum, and potentially causing a system crash at worst when users execute the 'devlink dev info' devlink command (NVD).

The vulnerability has been resolved in the Linux kernel through proper initialization of the fw_list variable and improved handling of devcmd failures. The fix ensures that other useful information can still be printed via devlink dev info even if the devcmd fails (NVD).