CVE-2025-37967: 
Linux Kernel vulnerability analysis and mitigation

A deadlock vulnerability (CVE-2025-37967) was discovered in the Linux kernel's USB Type-C UCSI driver, specifically affecting the displayport functionality. The vulnerability was disclosed on May 20, 2025, and impacts various Linux distributions including Debian, Ubuntu, and Red Hat Enterprise Linux systems (NVD, Wiz).

The vulnerability stems from a mutex locking issue in the UCSI driver's displayport functionality. The problem occurs when ucsidisplayportremovepartner holds con->mutex while waiting for dpaltmodework to complete, while dpaltmode_work simultaneously attempts to acquire the same mutex, leading to a deadlock condition. The CVSS v3.1 score is 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating moderate severity (Wiz).

The deadlock condition in the USB Type-C UCSI driver can potentially cause system hangs or freezes when using DisplayPort functionality over USB Type-C connections, affecting system stability and user experience (Wiz).

The vulnerability has been patched in the Linux kernel through the introduction of ucsiconmutexlock and ucsiconmutexunlock functions. These new functions ensure proper mutex handling by only locking the connector mutex when a connection is established and the partner pointer is valid. The fix has been included in Linux kernel version 6.1.140-1 for Debian stable distribution (Debian).