CVE-2025-37989 is a memory leak vulnerability identified in the Linux kernel's PHY LED trigger subsystem. The issue arises from improper use of the device-managed (devm) memory allocation API within the PHY LED trigger code. Specifically, the registration function phy_led_triggers_register is invoked from phy_attach_direct rather than phy_probe, and the corresponding unregister function phy_led_triggers_unregister is called from phy_detach instead of phy_remove. This leads to multiple invocations of register and unregister functions for the same PHY device without properly freeing the devm-allocated memory, which is only released when the driver is unbound. Consequently, this results in a memory leak that can cause an out-of-memory condition during network restart tests on routers. The devm API's internal pointer storage also prevents detection of this leak by kmemleak tools. The fix involves replacing devm_kzalloc/devm_kcalloc calls with standard kzalloc/kcalloc and adding explicit kfree calls in the unregister path to ensure proper memory deallocation. This vulnerability affects the Linux kernel versions identified by the commit hash 2e0bc452f4721520502575362a9cd3c1248d2337 and was published on May 20, 2025. No known exploits are reported in the wild as of now, and no CVSS score has been assigned.

For European organizations, this vulnerability primarily impacts network infrastructure devices running Linux-based kernels, such as routers and switches that utilize PHY LED triggers. The memory leak can lead to gradual exhaustion of system memory during network restarts or PHY device reinitializations, potentially causing device instability, degraded network performance, or even outages due to out-of-memory conditions. This can disrupt critical network services, affecting business continuity, especially in sectors reliant on stable and high-availability networking such as telecommunications, finance, healthcare, and government. While the vulnerability does not directly allow code execution or privilege escalation, the resulting denial of service through resource exhaustion can be leveraged in targeted attacks or combined with other vulnerabilities. The lack of requirement for user interaction or authentication to trigger the leak (assuming network restart or PHY reinitialization events can be induced remotely or locally) increases the risk profile. However, the impact is somewhat limited to devices with affected kernel versions and specific PHY LED trigger usage, which may reduce the attack surface in some environments.

European organizations should prioritize updating their Linux kernel versions to those containing the patch that replaces devm_kzalloc/devm_kcalloc with standard kzalloc/kcalloc and adds corresponding kfree calls in the unregister path. Network device vendors should be contacted to confirm firmware or kernel updates addressing this issue. For environments where immediate patching is not feasible, monitoring memory usage on network devices during network restarts or PHY reinitializations can help detect abnormal memory consumption indicative of the leak. Network administrators should also review device configurations to minimize unnecessary PHY device reinitializations and consider implementing automated device restarts or memory cleanup scripts as temporary mitigations. Additionally, organizations should maintain robust network segmentation and access controls to limit exposure of vulnerable devices to untrusted networks, reducing the risk of remote exploitation. Finally, integrating this vulnerability into vulnerability management and patching workflows will ensure timely remediation as updates become available.