CVE-2025-37843 is a vulnerability identified in the Linux kernel's PCI Express Hotplug (pciehp) subsystem. The issue arises from a race condition during the hot-removal of nested PCI hotplug ports, which can lead to a deadlock scenario. Specifically, when a parent hotplug port acquires the pci_lock_rescan_remove() lock and waits for the pciehp driver to unbind from a child hotplug port, the child port simultaneously attempts to acquire the same lock to remove its own children. This lock acquisition order dependency causes a deadlock only if the parent acquires the lock first. The vulnerability is exacerbated by a recent kernel commit (9d573d19547b) intended to detect device replacement during system sleep, which inadvertently increases the frequency of deadlocks when removing multiple Thunderbolt devices during sleep. The root cause is the inability to reliably differentiate between device removal and replacement because pci_get_dsn() returns zero in both cases. The proposed mitigation involves checking if the hotplug port itself was hot-removed and marking all children as removed using pci_dev_set_disconnected(), leveraging the top-down invocation order of the ->resume_noirq() callback to ensure reliable detection of removal. This fix avoids unnecessary device replacement checks and reduces deadlock occurrences. The vulnerability affects Linux kernel versions containing the specified commit and requires careful patching due to its intrusive nature. No known exploits are currently reported in the wild.

For European organizations, this vulnerability primarily threatens systems running Linux kernels with the affected pciehp implementation, especially those utilizing nested PCI hotplug ports and Thunderbolt devices. The deadlock can cause system hangs or freezes during device removal, impacting system availability and potentially leading to operational disruptions. Critical infrastructure, data centers, and enterprise environments relying on hot-pluggable PCI devices for scalability or maintenance could experience downtime or degraded performance. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant in environments requiring high uptime. Systems undergoing frequent device hot-removal, such as development workstations, servers with dynamic hardware configurations, or virtualized environments using PCI passthrough, are at higher risk. The issue is particularly relevant during system sleep states, which are common in energy-conscious European data centers and enterprises. The lack of known exploits reduces immediate risk, but the complexity and intrusiveness of the fix suggest that unpatched systems remain vulnerable to operational disruptions.

European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2025-37843 once officially released. Given the complexity of the fix, organizations should test kernel updates in controlled environments to ensure stability before wide deployment. In the interim, minimizing the use of nested PCI hotplug ports and avoiding hot-removal of multiple Thunderbolt devices during system sleep can reduce deadlock occurrences. System administrators should monitor system logs for signs of pci_lock_rescan_remove() deadlocks and implement alerting to detect hangs related to device removal. Where possible, scheduling device removal operations during active system states rather than sleep states can mitigate risk. Additionally, organizations should review their hardware configurations to limit nested hotplug scenarios and consider alternative hardware or configurations that do not rely on nested PCI hotplug ports. Collaboration with Linux distribution maintainers to receive timely patches and security advisories is also recommended.