CVE-2025-37998: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37998 is a vulnerability discovered in the Linux kernel's openvswitch component, specifically related to unsafe attribute parsing in the output_userspace() function. The vulnerability was publicly disclosed on May 29, 2025, affecting multiple versions of the Linux kernel across various distributions (NVD).

The vulnerability stems from improper attribute parsing in the outputuserspace() function within the Linux kernel's openvswitch component. The fix involves replacing manual Netlink attribute iteration with nlaforeachnested() to ensure only well-formed attributes are processed. Red Hat has assigned this vulnerability a CVSS v3.1 base score of 7.0 with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (Wiz).

The vulnerability affects multiple Linux kernel versions across various distributions. In Debian, versions affected include bullseye (5.10.223-1 and 5.10.237-1), bookworm (6.1.137-1), and trixie (6.12.27-1). Ubuntu distributions from 16.04 through 25.04 are also affected (Debian Tracker, Ubuntu).

Fixed versions have been released for some distributions: Debian bookworm has been fixed in version 6.1.140-1, and sid in version 6.12.30-1. Red Hat has marked this for deferred fixes in Red Hat Enterprise Linux 9 and 10 (Debian Tracker).