CVE-2025-37987 is a vulnerability identified in the Linux kernel specifically related to the pds_core component's adminq (administrative queue) handling. The adminq is designed to serialize commands to the firmware (FW) by using an adminq_lock to ensure that only one command is posted at a time by client drivers. However, completions for these commands occur asynchronously in a different context, allowing multiple commands to be posted sequentially and all to wait for completion simultaneously. The underlying firmware queue that backs the adminq has a fixed size of 16 entries and lacks robust retry or overflow prevention mechanisms. This design flaw can lead to an overflow or stuck condition in the adminq, where the queue becomes full and no further commands are processed, causing the firmware to stop sending completions. This effectively halts command processing, potentially leading to denial of service conditions. The initial mitigation implemented reduces the adminq depth to 16, ensuring that no more than 16 outstanding commands can be posted at once, thereby preventing overflow and the stuck condition. This fix addresses the immediate risk by aligning the software queue depth with the firmware queue capacity, but it may impact performance under heavy administrative command loads. No known exploits are currently reported in the wild, and the vulnerability was publicly disclosed in May 2025 without an assigned CVSS score.

For European organizations, this vulnerability poses a risk primarily to systems running vulnerable versions of the Linux kernel that include the affected pds_core component. The potential impact includes denial of service (DoS) conditions where administrative commands to the firmware are no longer processed, potentially degrading system stability and availability. This could affect critical infrastructure, cloud service providers, and enterprises relying on Linux-based servers and network devices. Given Linux's widespread use in European data centers, telecommunications, and industrial control systems, the vulnerability could disrupt operations if exploited or triggered inadvertently. While no active exploitation is known, the risk remains that attackers or malfunctioning software could cause system outages. The impact on confidentiality and integrity is limited, as the vulnerability primarily affects availability. However, prolonged DoS conditions could indirectly affect business continuity and service delivery, especially in sectors with stringent uptime requirements such as finance, healthcare, and public services.

European organizations should promptly apply kernel updates that include the fix reducing the adminq depth to 16 to prevent overflow conditions. Beyond patching, administrators should monitor system logs and firmware communication channels for signs of adminq queue saturation or stuck conditions. Implementing proactive alerting on abnormal adminq command queue lengths or firmware response delays can help detect issues early. For environments with high administrative command loads, consider workload balancing or command rate limiting to avoid saturating the adminq. Additionally, organizations should validate firmware versions and ensure they are compatible with the patched kernel to prevent mismatches that could exacerbate the issue. In critical systems, testing patches in staging environments before deployment is recommended to assess performance impacts. Network segmentation and strict access controls can reduce the risk of unauthorized triggering of the vulnerability. Finally, maintain regular backups and incident response plans to mitigate potential service disruptions.