CVE-2025-37997: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability (CVE-2025-37997) was discovered in the Linux kernel's netfilter ipset component, specifically related to region locking in hash types. The issue was introduced in version 5.6-rc4 and involves incorrect implementation of region locking macros. The vulnerability was disclosed on May 29, 2025 (NVD).

The vulnerability stems from three macros handling region locks: ahashbucketstart(), ahashbucketend(), and ahashregion(). While the first two macros correctly handled start and end hash bucket values for region locks, the ahashregion() macro contained an implementation error. This flaw specifically affects hash type sets configured with timeouts. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.0, indicating moderate severity (Wiz).

The incorrect implementation of the ahash_region() macro can lead to race conditions between the garbage collector and the process of adding new elements when a hash type set is defined with timeouts (NVD).

Red Hat has indicated that fixes are deferred for Red Hat Enterprise Linux 10 and Red Hat Enterprise Linux 9, including the kernel-rt variant. Earlier versions (RHEL 6, 7, and 8) are out of support scope. Debian 12 has a fix available, while Debian 11 and 13 currently have no fix. Ubuntu versions 16.04 through 25.04 are affected with medium severity and currently have no fix (Wiz).