CVE-2025-37787

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability in the Linux kernel has been resolved, specifically in the net: dsa: mv88e6xxx module. The issue occurs when a system with mv88e6xxx dereferences a NULL pointer when unbinding the driver, causing a crash. This happens because some devlink regions are conditionally registered, and if the chip does not have an STU or PVT, it should crash. The crash seems to be in the devlink region destroy() function, which is not NULL tolerant but is given a NULL devlink global region pointer.

Recommendations To fix the issue, avoid unregistering those regions which are NULL, i.e., were skipped at mv88e6xxx setup devlink regions global() time. As a temporary workaround, consider disabling the devlink region destroy() function until a patch is available. Restrict access to the vulnerable mv88e6xxx module to minimize the risk of exploitation. Avoid using the mv88e6xxx setup devlink regions global() function until the issue is resolved.