CVE-2025-37812 – A race condition in the Linux kernel's cdns3 US... (How to Fix)

Q: What is the severity of CVE-2025-37812?

CVE-2025-37812 has a CVSS score of 5.5 (MEDIUM). A race condition in the Linux kernel's cdns3 USB driver causes a deadlock when using NCM gadget functionality under PREEMPT_RT configuration. This vulnerability can cause system lockups requiring hard resets, affecting Linux systems with specific USB hardware and NCM gadget usage.

📋 TL;DR

A race condition in the Linux kernel's cdns3 USB driver causes a deadlock when using NCM gadget functionality under PREEMPT_RT configuration. This vulnerability can cause system lockups requiring hard resets, affecting Linux systems with specific USB hardware and NCM gadget usage.

💻 Affected Systems

Products:

Linux kernel with cdns3 USB driver

Versions: Linux kernel versions before fixes in stable releases

Operating Systems: Linux distributions with PREEMPT_RT configuration

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using NCM gadget functionality with PREEMPT_RT kernel configuration and specific USB hardware.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system deadlock requiring hard reboot, causing denial of service and potential data loss.

🟠

Likely Case

System lockup under heavy network traffic when using NCM gadget, requiring manual intervention to restore service.

🟢

If Mitigated

Minor performance impact from disabled softirqs during interrupt handling.

🌐 Internet-Facing: LOW - Requires local USB gadget configuration and specific traffic patterns.

🏢 Internal Only: MEDIUM - Affects systems using NCM gadget functionality for USB networking.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific hardware configuration and heavy network traffic patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel stable releases containing commit 09e90a9689a4aac7a2f726dc2aa472b0b37937b7 or later

Vendor Advisory: https://git.kernel.org/stable/c/09e90a9689a4aac7a2f726dc2aa472b0b37937b7

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version. 2. Rebuild kernel if using custom kernel. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable NCM gadget

linux

Disable NCM gadget functionality if not required

modprobe -r g_ncm
echo 'blacklist g_ncm' >> /etc/modprobe.d/blacklist.conf

Avoid PREEMPT_RT configuration

linux

Use standard kernel configuration instead of PREEMPT_RT

🧯 If You Can't Patch

Avoid using NCM gadget functionality with cdns3 USB hardware
Monitor system for lockups and implement automated recovery procedures

🔍 How to Verify

Check if Vulnerable:

Check if using cdns3 USB driver and NCM gadget: lsmod | grep -E '(cdns3|g_ncm)'

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix: uname -r and verify against patched versions

📡 Detection & Monitoring

Log Indicators:

System lockups
Kernel panic messages
Interrupt handler timeouts

Network Indicators:

Sudden network connectivity loss on USB interfaces

SIEM Query:

source="kernel" AND ("deadlock" OR "lockup" OR "cdns3" OR "NCM")

📊 Metadata

CVE ID: CVE-2025-37812

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-667

EPSS Score: 0.02% exploit probability (4.5th percentile)

Published: May 8, 2025

Last Updated: November 12, 2025

🔗 References

https://git.kernel.org/stable/c/09e90a9689a4aac7a2f726dc2aa472b0b37937b7 Patch
https://git.kernel.org/stable/c/48a62deb857f0694f611949015e70ad194d97159 Patch
https://git.kernel.org/stable/c/59a760e4796a3cd88d8b9d7706e0a638de677751 Patch
https://git.kernel.org/stable/c/74cd6e408a4c010e404832f0e4609d29bf1d0c41 Patch
https://git.kernel.org/stable/c/a1059896f2bfdcebcdc7153c3be2307ea319501f Patch
https://git.kernel.org/stable/c/b96239582531775f2fdcb14de29bdb6870fd4c8c Patch
https://git.kernel.org/stable/c/c27db84ed44e50ff90d9e3a2a25fae2e0a0fa015 Patch
https://git.kernel.org/stable/c/eebfb64c624fc738b669100173344fb441c5e719 Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37812, you might also want to check these: