CVE-2025-37884 is a concurrency vulnerability in the Linux kernel related to the Berkeley Packet Filter (BPF) subsystem, specifically involving a deadlock condition between two kernel synchronization mechanisms: rcu_tasks_trace and event_mutex. The issue arises when two CPUs attempt to acquire locks in conflicting orders, leading to a circular wait and thus a deadlock. On CPU A, the function _free_event() calls perf_kprobe_destroy(), which attempts to acquire event_mutex and then calls synchronize_rcu_tasks_trace(), a blocking call that waits for ongoing RCU read-side critical sections to complete. Meanwhile, on CPU B, the bpf_prog_test_run_syscall() path acquires rcu_read_lock_trace() and then attempts to lock event_mutex within trace_set_clr_event(). This lock acquisition order inversion causes a deadlock scenario. The fix involves delegating trace_set_clr_event() work to a kernel workqueue, thereby avoiding the problematic lock dependency and preventing the deadlock. This vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and likely impacts all distributions using affected kernel versions. Since the vulnerability is a deadlock, it primarily affects system availability by causing kernel hangs or freezes under certain workloads involving BPF tracing and perf events. There are no known exploits in the wild as of the publication date, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to system stability and availability. Linux is widely deployed across European enterprises, government agencies, and critical infrastructure, especially in servers, cloud environments, and embedded systems. Systems that heavily utilize BPF for tracing, monitoring, or security (e.g., performance analysis tools, observability platforms) may experience kernel deadlocks leading to system hangs or crashes. This can disrupt business operations, cause downtime, and impact services reliant on Linux-based infrastructure. Although this vulnerability does not directly compromise confidentiality or integrity, denial of service through kernel deadlocks can have significant operational and reputational consequences. Organizations running custom or older Linux kernels without the patch are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate risk, especially in complex environments where BPF tracing is common.

1. Apply the official Linux kernel patch that delegates trace_set_clr_event() to a workqueue to break the lock dependency and prevent deadlocks. Ensure all Linux systems are updated to kernel versions including this fix. 2. For organizations unable to immediately patch, consider disabling or limiting BPF tracing and perf event features temporarily to reduce exposure. 3. Monitor system logs and kernel messages for signs of deadlocks or hangs related to perf or BPF tracing activities. 4. Implement robust system monitoring and automated recovery mechanisms (e.g., watchdog timers, automated reboots) to minimize downtime in case of deadlocks. 5. Test kernel updates in staging environments to verify stability and compatibility with existing BPF-based tools before production deployment. 6. Educate system administrators and DevOps teams about this vulnerability and the importance of timely patching, especially in environments using advanced tracing features.