CVE-2025-37759 is a vulnerability identified in the Linux kernel's ublk (userspace block driver) subsystem. The issue stems from improper handling of request references during recovery and reissue operations within the ublk_abort_queue() function. Specifically, a commit (8284066946e6) intended to improve request reference management failed to grab a request reference when a request was reissued as part of recovery. This flaw allows a request to be requeued, redispatched, and potentially fail during cancellation. In scenarios involving zero-copy (zc) requests, this can lead to the request being freed prematurely before io_uring returns the zero-copy buffer, causing a kernel NULL pointer dereference and subsequent kernel panic. The kernel panic manifests as a supervisor read access fault at a null pointer offset, resulting in system instability and potential denial of service. The vulnerability is addressed by ensuring that the request reference is always grabbed when aborting a request, preventing premature freeing and use-after-free conditions. This vulnerability affects Linux kernel versions containing the specified commit and is relevant to systems utilizing the ublk driver and io_uring interface for high-performance asynchronous I/O operations. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to servers and infrastructure running affected Linux kernel versions with ublk and io_uring enabled. The impact includes potential denial of service through kernel panics, which can disrupt critical services, especially in data centers, cloud environments, and enterprise servers relying on Linux for storage and I/O operations. Systems handling high volumes of asynchronous I/O or leveraging zero-copy buffers are particularly vulnerable. The kernel panic can cause unexpected downtime, data loss in volatile caches, and require system reboots, affecting availability and operational continuity. While there is no indication of privilege escalation or remote code execution, the denial of service impact can be significant for service providers, financial institutions, and critical infrastructure operators in Europe. Additionally, the complexity of the vulnerability may delay patch adoption, prolonging exposure. Given the widespread use of Linux in European IT environments, the vulnerability could affect a broad range of sectors including telecommunications, manufacturing, and government services.

European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2025-37759. Specifically, applying the patch that ensures request references are properly grabbed during abort and recovery operations in the ublk driver is critical. System administrators should audit their kernel versions and confirm whether the vulnerable commit is present. For environments using io_uring and zero-copy buffers, additional monitoring for kernel panics and abnormal system reboots should be implemented to detect exploitation attempts. Where immediate patching is not feasible, organizations can consider temporarily disabling or limiting the use of ublk and io_uring features if operationally possible, to reduce exposure. Furthermore, implementing robust system monitoring and alerting for kernel oops and panics will aid in early detection. Coordination with Linux distribution vendors for timely patch releases and applying vendor-specific security advisories is recommended. Finally, testing patches in staging environments before deployment can prevent unintended disruptions.