CVE-2025-37973: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37973 is a vulnerability discovered in the Linux kernel affecting the wifi subsystem, specifically in the cfg80211 component. The vulnerability was disclosed on May 20, 2025, and involves an out-of-bounds access issue during multi-link element defragmentation (NVD, Wiz).

The vulnerability occurs during the multi-link element defragmentation process in the cfg80211defragmle() function. The issue arises when the multi-link element length is added to the total IEs length when calculating the length of remaining IEs after the multi-link element. This calculation error could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer (Wiz).

The vulnerability could potentially result in out-of-bounds access in the Linux kernel's wifi subsystem, which may affect system stability and security. The issue specifically impacts the handling of multi-link elements in the cfg80211 component (Wiz).

The vulnerability has been resolved by correctly calculating the remaining IEs length. The fix involves deducting the multi-link element end offset from total IEs end offset to prevent the out-of-bounds access condition. Various Linux distributions have different statuses: Ubuntu versions 16.04 through 25.04 are affected with medium severity, while some older versions are not affected (Ubuntu).