CVE-2025-37791 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll()
rpl is passed as a pointer to ethtool_cmis_module_poll(), so the correct size of rpl is sizeof(*rpl) which should be just 1 byte. Using the pointer size instead can cause stack corruption:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ethtool_cmis_wait_for_cond+0xf4/0x100 CPU: 72 UID: 0 PID: 4440 Comm: kworker/72:2 Kdump: loaded Tainted: G OE 6.11.0 #24 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Dell Inc. PowerEdge R760/04GWWM, BIOS 1.6.6 09/20/2023 Workqueue: events module_flash_fw_work Call Trace: <TASK> panic+0x339/0x360 ? ethtool_cmis_wait_for_cond+0xf4/0x100 ? __pfx_status_success+0x10/0x10 ? __pfx_status_fail+0x10/0x10 __stack_chk_fail+0x10/0x10 ethtool_cmis_wait_for_cond+0xf4/0x100 ethtool_cmis_cdb_execute_cmd+0x1fc/0x330 ? __pfx_status_fail+0x10/0x10 cmis_cdb_module_features_get+0x6d/0xd0 ethtool_cmis_cdb_init+0x8a/0xd0 ethtool_cmis_fw_update+0x46/0x1d0 module_flash_fw_work+0x17/0xa0 process_one_work+0x179/0x390 worker_thread+0x239/0x340 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/17/2026
The vulnerability identified as CVE-2025-37791 resides within the Linux kernel's ethtool subsystem, specifically affecting the handling of CMIS (Cable Management Interface Specification) module operations. This flaw manifests in the function ethtool_cmis_module_poll() where incorrect sizing of a variable named rpl leads to stack corruption. The issue arises from the improper use of sizeof(rpl) instead of sizeof(*rpl) when rpl is passed as a pointer to the function. This misalignment in memory handling can result in a kernel panic, indicating a critical failure in system stability and security integrity.
The technical root cause of this vulnerability stems from a memory management error where the size parameter used for stack protection mechanisms becomes incorrect due to pointer dereferencing. When sizeof(rpl) is used, it returns the size of the pointer itself rather than the size of the data it points to, which in this case is a single byte. This discrepancy causes the stack protector mechanism to miscalculate the bounds of the allocated stack space, leading to corruption when the function attempts to access memory beyond its intended boundaries. The kernel panic message clearly indicates that stack corruption has occurred within the ethtool_cmis_wait_for_cond function, which is part of the CMIS module polling process, suggesting that this vulnerability directly impacts network interface card management and firmware update operations.
The operational impact of this vulnerability extends beyond simple system instability, as it can be exploited to cause denial of service conditions within network infrastructure. The affected subsystem is responsible for managing CMIS-compliant modules, which are commonly used in high-speed networking equipment such as data center switches and servers. When triggered, this vulnerability can lead to complete system crashes, forcing administrators to restart affected systems and potentially disrupting network services. Given that the vulnerability occurs during firmware update processes, it could also prevent legitimate firmware upgrades, leaving systems exposed to other security issues. The fact that this vulnerability is triggered through kernel workqueue execution indicates that it can be activated during normal system operations, making it particularly dangerous as it does not require special privileges to exploit.
Mitigation strategies for CVE-2025-37791 should focus on applying the patched kernel version that corrects the size calculation error in the ethtool_cmis_module_poll() function. System administrators should prioritize updating their Linux kernel installations to versions that contain the fix, which typically involves changing the sizeof(rpl) reference to sizeof(*rpl) to ensure proper byte-level memory management. Additionally, monitoring systems should be configured to detect kernel panics or stack corruption events that may indicate exploitation attempts. The vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and could potentially be leveraged in attacks categorized under ATT&CK technique T1499.001, which involves network denial of service attacks. Organizations should also implement network segmentation and access controls to limit exposure, while maintaining regular security audits to identify potential exploitation vectors. The fix demonstrates the importance of careful memory management in kernel space operations, particularly when dealing with hardware interface specifications that require precise timing and memory handling.