CVE-2025-37905 is a vulnerability identified in the Linux kernel related to the handling of device reference counts within the ARM SCMI (System Control and Management Interface) firmware driver subsystem. The root cause is an imbalance in device reference counting when destroying SCMI devices. Specifically, the function device_find_child() is used to locate the SCMI device to be destroyed, but this function implicitly increments the device's reference count via get_device() without a corresponding decrement (put_device()) later. This leads to the device's release methods not being called during destruction, resulting in memory not being freed properly. The internal structure device_private dev->p, managed by the drivers subsystem core, is one such object that remains allocated, causing a memory leak. The issue was detected by kmemleak, a kernel memory leak detector, which observed that loading and unloading SCMI drivers creates and destroys devices without invoking their release callbacks. The vulnerability is technical in nature, involving kernel memory management and device lifecycle handling, and affects specific Linux kernel versions identified by the commit hashes listed. The fix involves balancing the device reference count by explicitly calling put_device() on devices found via device_find_child(), ensuring proper cleanup and preventing memory leaks. No known exploits are reported in the wild, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2025-37905 depends largely on their use of Linux systems running affected kernel versions with ARM SCMI drivers. The vulnerability causes a memory leak in the kernel, which over time could degrade system performance, lead to resource exhaustion, and potentially cause system instability or crashes. This is particularly relevant for embedded systems, IoT devices, and ARM-based servers or infrastructure components that rely on SCMI for power and system management. While this vulnerability does not directly enable code execution or privilege escalation, the resulting denial of service through resource depletion could disrupt critical services, especially in industrial, telecommunications, or cloud environments prevalent in Europe. Organizations operating ARM-based Linux systems in sectors such as manufacturing, automotive, or telecommunications may face increased operational risks if unpatched. The absence of known exploits suggests limited immediate threat, but the vulnerability's presence in widely used Linux kernels necessitates prompt attention to avoid potential future exploitation or system reliability issues.

European organizations should take the following specific mitigation steps: 1) Identify all Linux systems running ARM architectures with SCMI drivers, especially those using the affected kernel versions or commit hashes. 2) Apply the official Linux kernel patches or updates that address CVE-2025-37905 as soon as they become available. 3) For systems where immediate patching is not feasible, implement monitoring for unusual memory consumption or kernel memory leaks using tools like kmemleak or other kernel debugging utilities. 4) Regularly audit device driver usage and lifecycle management in custom or embedded Linux deployments to ensure proper reference counting and resource cleanup. 5) Engage with Linux distribution vendors to track backported fixes and ensure timely deployment of security updates. 6) For critical infrastructure, consider implementing redundancy and failover mechanisms to mitigate potential service disruptions caused by kernel memory leaks. 7) Educate system administrators and developers about the importance of device reference count management in kernel modules to prevent similar issues.