CVE-2025-37836 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: PCI: Fix reference leak in pci_register_host_bridge() If device_register() fails, call put_device() to give up the reference to avoid a memory leak, per the comment at device_register(). Found by code review. [bhelgaas: squash Dan Carpenter's double free fix from https://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain]

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/3297497ad2246eb9243849bfbbc57a0dea97d76e
https://git.kernel.org/stable/c/804443c1f27883926de94c849d91f5b7d7d696e9
https://git.kernel.org/stable/c/9707d0c932f41006a2701afc926b232b50e356b4
https://git.kernel.org/stable/c/b783478e0c53ffb4f04f25fb4e21ef7f482b05df
https://git.kernel.org/stable/c/bbba4c50a2d2a1d3f3bf31cc4b8280cb492bf2c7
https://git.kernel.org/stable/c/bd2a352a0d72575f1842d28c14c10089f0cfe1ae
https://git.kernel.org/stable/c/f4db1b2c9ae3d013733c302ee70cac943b7070c0
https://git.kernel.org/stable/c/f9208aec86226524ec1cb68a09ac70e974ea6536
https://lore.kernel.org/linux-cve-announce/2025050914-CVE-2025-37836-5ccf@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-37836
https://www.cve.org/CVERecord?id=CVE-2025-37836

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00035}`	epss `{'score': 0.00036}`

Sat, 10 May 2025 02:30:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025050914-CVE-2025-37836-5ccf@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-37836 https://www.cve.org/CVERecord?id=CVE-2025-37836
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 09 May 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: PCI: Fix reference leak in pci_register_host_bridge() If device_register() fails, call put_device() to give up the reference to avoid a memory leak, per the comment at device_register(). Found by code review. [bhelgaas: squash Dan Carpenter's double free fix from https://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain]
Title		PCI: Fix reference leak in pci_register_host_bridge()
References		https://git.kernel.org/stable/c/3297497ad2246eb9243849bfbbc57a0dea97d76e https://git.kernel.org/stable/c/804443c1f27883926de94c849d91f5b7d7d696e9 https://git.kernel.org/stable/c/9707d0c932f41006a2701afc926b232b50e356b4 https://git.kernel.org/stable/c/b783478e0c53ffb4f04f25fb4e21ef7f482b05df https://git.kernel.org/stable/c/bbba4c50a2d2a1d3f3bf31cc4b8280cb492bf2c7 https://git.kernel.org/stable/c/bd2a352a0d72575f1842d28c14c10089f0cfe1ae https://git.kernel.org/stable/c/f4db1b2c9ae3d013733c302ee70cac943b7070c0 https://git.kernel.org/stable/c/f9208aec86226524ec1cb68a09ac70e974ea6536

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-05-09T06:41:47.341Z

Updated: 2025-05-26T05:21:57.578Z

Reserved: 2025-04-16T04:51:23.952Z

Link: CVE-2025-37836

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-05-09T07:16:04.320

Modified: 2025-05-12T17:32:52.810

Link: CVE-2025-37836

Redhat

Severity : Moderate

Publid Date: 2025-05-09T00:00:00Z

Links: CVE-2025-37836 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object