CVE-2025-37989

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A memory leak was discovered in the PHY LED trigger code of the Linux kernel. The issue was identified during a network restart test on a router, which led to an out-of-memory condition. The root cause is the misuse of the devm API, where the registration and unregister functions can be called multiple times for the same PHY device, but devm-allocated memory is not freed until the driver is unbound. This also prevents kmemleak from detecting the leak. The issue is related to the phy led triggers register and phy led triggers unregister functions.

Recommendations To resolve the issue, replace devm kzalloc/devm kcalloc with standard kzalloc/kcalloc, and add the corresponding kfree calls in the unregister path. At the moment, there is no information about a newer version that contains a fix for this vulnerability.