CVE-2025-37845 is a use-after-free (UAF) vulnerability identified in the Linux kernel's tracing subsystem, specifically related to fprobe and tprobe events. The vulnerability arises from a flawed handling of module reference counting during tracepoint module lookups. A recent code change (commit ac91052f0ae5) moved the try_module_get() call from the __find_tracepoint_module_cb() callback function to the caller of find_tracepoint(). This change inadvertently introduced a race condition where the kernel might access a module object after it has been freed, because the module can be unloaded before try_module_get() is called. The intended fix is to revert try_module_get() back into the callback to ensure the module reference count is properly incremented before any access, preventing the use of freed memory. This vulnerability could lead to kernel memory corruption, potentially allowing local attackers to execute arbitrary code with kernel privileges, cause system crashes, or escalate privileges. The affected versions are specific Linux kernel commits prior to the fix, indicating that this is a recent regression in kernel tracing code. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a significant risk especially to those running Linux-based infrastructure, including servers, cloud environments, and embedded systems. Exploitation could allow attackers with local access to execute arbitrary code in kernel space, leading to full system compromise, data breaches, or denial of service. Critical infrastructure operators, financial institutions, and enterprises relying on Linux for their backend systems could face operational disruptions and data integrity issues. Moreover, since the vulnerability involves kernel tracing modules, environments that utilize advanced debugging or monitoring tools may be particularly exposed. The absence of known exploits currently reduces immediate risk, but the potential for future weaponization means organizations should prioritize patching. Given the widespread use of Linux in Europe across public and private sectors, the impact could be broad if exploited.

Organizations should promptly update their Linux kernels to versions containing the fix that reintroduces try_module_get() within the __find_tracepoint_module_cb() function to prevent the use-after-free condition. Since this is a kernel-level vulnerability, applying vendor-supplied kernel patches or upgrading to the latest stable kernel release is critical. For environments where immediate patching is not feasible, disabling kernel tracing features such as fprobe and tprobe events can reduce exposure. Additionally, restricting local user access to trusted personnel and enforcing strict privilege separation can mitigate exploitation risk. Monitoring kernel logs for unusual tracepoint activity and employing runtime security tools capable of detecting anomalous kernel behavior may provide early warning. Finally, organizations should maintain robust backup and recovery procedures to minimize impact in case of exploitation.