CVE-2025-37842 is a vulnerability identified in the Linux kernel specifically affecting the fsl-qspi SPI controller driver used in certain embedded systems, notably those based on the i.MX8MQ platform. The issue arises from improper resource management during device removal. The driver uses devm (device-managed) APIs to handle clocks, interrupts, and other resources, but retains a legacy remove function that is called first during device detachment. This legacy remove function triggers a kernel panic due to an incorrect release sequence of resources. The vulnerability can be triggered by unbinding the SPI controller device, for example by executing the command 'echo 30bb0000.spi >/sys/bus/platform/drivers/fsl-quadspi/unbind' on affected systems. The root cause is the coexistence of devm API usage with an outdated remove function, which leads to double or improper cleanup of resources, causing the kernel to panic and crash. The fix involves dropping the legacy remove function and instead using devm_add_action_or_reset() to ensure proper cleanup order and avoid kernel panic. This vulnerability affects specific Linux kernel versions identified by the commit hashes provided, and is particularly relevant for embedded Linux systems using the fsl-qspi driver on i.MX8MQ hardware. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.

The primary impact of this vulnerability is a denial of service (DoS) condition caused by a kernel panic, which leads to system crashes and potential downtime. For European organizations relying on embedded Linux devices with the affected fsl-qspi SPI controller driver—such as industrial control systems, IoT devices, or specialized hardware based on the i.MX8MQ platform—this vulnerability could disrupt operations by causing unexpected reboots or failures. While it does not directly lead to privilege escalation or data leakage, the availability impact can be significant in environments where continuous operation is critical, such as manufacturing, transportation, or critical infrastructure sectors. Recovery from kernel panic may require manual intervention or automated reboot mechanisms, but repeated crashes could degrade system reliability and increase maintenance costs. Since the vulnerability is triggered by device unbinding, it could potentially be exploited by a local attacker or a malicious process with sufficient privileges to unbind devices, thus causing denial of service. However, remote exploitation is unlikely without prior access or privilege escalation.

To mitigate this vulnerability, European organizations should prioritize updating their Linux kernel to a version that includes the patch removing the legacy remove function and implementing devm_add_action_or_reset() for proper resource cleanup. Embedded device vendors should release firmware updates incorporating this fix, and organizations should apply these updates promptly. Additionally, organizations should restrict access to privileged interfaces such as sysfs entries that allow unbinding of devices (e.g., /sys/bus/platform/drivers/fsl-quadspi/unbind) to trusted users only, minimizing the risk of accidental or malicious triggering of the kernel panic. Monitoring system logs for unexpected kernel panics related to the fsl-qspi driver can help detect attempts to exploit this vulnerability. For critical systems, implementing watchdog timers and automated recovery mechanisms can reduce downtime caused by kernel panics. Finally, organizations should review their embedded device inventory to identify systems using the affected driver and platform, ensuring targeted patch management and risk assessment.