CVE-2025-37909 | net: lan743x: Fix memleak issue when GSO enabled

In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak

Published: 2025-05-20 Last update: 2025-11-17 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-37909 is rated Low Risk (32/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.10%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-37909

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-16 0.03% 0.10% +0.08%
2 2025-11-18 0.06% 0.03% -0.03%
3 2025-10-28 0.06%

Full EPSS history (6 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-37909

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.5 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 3.6 [email protected]

Weakness enumeration for CVE-2025-37909

OS Trackers for CVE-2025-37909

vendor priority summary link
debian not yet assigned CVE-2025-37909 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. https://security-tracker.debian.org/tracker/CVE-2025-37909
redhat low https://access.redhat.com/security/cve/CVE-2025-37909
suse medium https://www.suse.com/security/cve/CVE-2025-37909/
ubuntu medium CVE-2025-37909 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, released 168, ignored 164, not-affected 46, needed 25, needs-triage 2, pending 1. https://ubuntu.com/security/CVE-2025-37909

Affected software / configurations for CVE-2025-37909

Vendor Product Version Raw CPE
linux linux_kernel >= 4.17, < 5.4.294 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.5, < 5.10.238 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.11, < 5.15.182 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.16, < 6.1.138 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.2, < 6.6.90 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.7, < 6.12.28 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.13, < 6.14.6 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References for CVE-2025-37909

URL Tags
https://git.kernel.org/stable/c/093855ce90177488eac772de4eefbb909033ce5f Patch
https://git.kernel.org/stable/c/189b05f189cac9fd233ef04d31cb5078c4d09c39 Patch
https://git.kernel.org/stable/c/2d52e2e38b85c8b7bc00dca55c2499f46f8c8198 Patch
https://git.kernel.org/stable/c/6c65ee5ad632eb8dcd3a91cf5dc99b22535f44d9 Patch
https://git.kernel.org/stable/c/a0e0efbabbbe6a1859bc31bf65237ce91e124b9b Patch
https://git.kernel.org/stable/c/dae1ce27ceaea7e1522025b15252e3cc52802622 Patch
https://git.kernel.org/stable/c/df993daa4c968b4b23078eacc248f6502ede8664 Patch
https://git.kernel.org/stable/c/f42c18e2f14c1b1fdd2a5250069a84bc854c398c Patch
https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Mailing List
cvelogic Threat Intelligence