CVE-2025-37843

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A long-standing race condition in the Linux kernel's PCI hotplug functionality can lead to a deadlock when hot-removing nested PCI hotplug ports. This issue occurs when a parent hotplug port acquires a lock and waits for a child port to unbind, while the child port attempts to acquire the same lock to remove its own children. The deadlock only happens if the parent acquires the lock first. A recent commit increased the frequency of this deadlock when removing multiple Thunderbolt devices during system sleep. The issue arises from the inability to reliably differentiate between device replacement and removal.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.