CVE-2025-37984: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability was discovered in the Linux kernel's crypto ECDSA implementation, identified as CVE-2025-37984. The issue was disclosed on May 20, 2025, and involves potential integer overflows in the DIVROUNDUP() function when an ECDSA implementation's ->key_size() callback returns unusually large values (NVD, RedHat).

The vulnerability stems from the DIVROUNDUP() function's handling of large values returned by the ECDSA implementation's ->keysize() callback. The issue affects the eccdigitsfrombytes() function, where the 'nbytes' parameter can be either a ->keysize() return value or a user-specified ASN.1 length in ecdsagetsignaturers(). The fix introduces a generic DIVROUNDUPPOW2() macro to replace DIVROUNDUP() for ->keysize() return values, using the formula X / 8 + !!(X & 7) for divisions by 8 (NVD).

The vulnerability has been assigned a CVSS v3.1 score of 7.0, indicating a moderate severity level. The vulnerability requires local access with high complexity and low privileges, but could potentially impact system confidentiality, integrity, and availability (RedHat).

Red Hat has indicated that fixes are deferred for Red Hat Enterprise Linux 9 and Red Hat Enterprise Linux 10, while versions 6 and 7 are not affected. Red Hat Enterprise Linux 8 is out of support scope for this vulnerability (RedHat).