CVE-2025-37942: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37942 is a vulnerability discovered in the Linux kernel's HID (Human Interface Device) subsystem, specifically affecting the pidff component. The vulnerability was disclosed on May 20, 2025, and involves improper handling of pool reports that particularly affects devices like the VRS DirectForce PRO (NVD, Wiz).

The vulnerability stems from a race condition in the HID pidff driver where pool reports are sometimes incorrectly handled. The issue specifically occurs when checking SIMULTANEOUS_MAX without properly fetching the pool first. Red Hat has assigned this vulnerability a CVSS v3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (Wiz).

When exploited, this vulnerability can cause system oops (crashes) on affected devices, particularly observed on the VRS DirectForce PRO hardware. This can lead to system instability and potential denial of service conditions (Wiz).

The vulnerability has been resolved in the Linux kernel through a patch that implements proper pool report handling. The fix includes refetching pool reports before checking SIMULTANEOUS_MAX and restructuring the loop logic to prevent infinite loops. The fix replaces a while loop with a for loop and adjusts exit conditions to decrease the possibility of creating an infinite loop scenario (NVD).