CVE-2025-37980: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37980 is a resource leak vulnerability discovered in the Linux kernel's block subsystem, specifically in the blkregisterqueue() error path. The vulnerability was disclosed on May 20, 2025, and affects various Linux distributions including Ubuntu, Red Hat Enterprise Linux, and Debian systems (NVD CVE, Wiz Report).

The vulnerability occurs when registering a queue fails after blkmqsysfsregister() is successful but the function encounters an error later in its execution. The issue stems from missing cleanup code, specifically the absence of a blkmqsysfsunregister() call in the error path. This leads to improper cleanup of blkmqsysfs resources and results in a memory leak. The vulnerability has been assigned a CVSS 3.1 base score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability results in a memory leak in the Linux kernel's block subsystem, which could potentially lead to resource exhaustion over time if repeatedly triggered. The impact is considered Medium severity according to Ubuntu's security assessment (Ubuntu Security).

The vulnerability has been addressed by adding the missing blkmqsysfs_unregister() call in the error path to properly clean up resources. Various Linux distributions are in the process of releasing patches, with some versions already having fixes available. Ubuntu has marked this as 'work in progress' for version 25.04, while Red Hat has deferred fixes for RHEL 9 and 10 (Ubuntu Security, Red Hat).