CVE-2025-37891 — Classic Buffer Overflow in Linux

CWE-120 — Classic Buffer Overflow CWE-131 — Incorrect Calculation of Buffer Size CWE-669 — Incorrect Resource Transfer Between Spheres54 documents8 sources

Severity

7.8HIGHNVD

OSV3.2

EPSS

0.1%

top 79.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Linux Kernel Debian Linux +24 more

Timeline

PublishedMay 19

Latest updateMar 25

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: ump: Fix buffer overflow at UMP SysEx message conversion The conversion function from MIDI 1.0 to UMP packet contains an internal buffer to keep the incoming MIDI bytes, and its size is 4, as it was supposed to be the max size for a MIDI1 UMP packet data. However, the implementation overlooked that SysEx is handled in a different format, and it can be up to 6 bytes, as found in do_convert_to_ump(). It leads eventually to…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages29 packages

▶NVDlinux/linux_kernel6.5 — 6.6.90+3

▶Debianlinux/linux_kernel< 6.12.29-1+1

▶Ubuntulinux/linux_kernel< 6.8.0-100.100+1

▶msrcmsrc/azl3_kernel_6.6.85.1-4_on_azure_linux_3.0

▶msrcmsrc/azl3_kernel_6.6.92.2-1_on_azure_linux_3.0

Patches

Patch: git.kernel.org ↗Patch: git.kernel.org ↗Patch: git.kernel.org ↗

🔴Vulnerability Details

OSV

linux-azure-6.8 vulnerabilities↗2026-03-25

▶

OSV

linux-azure-fips vulnerabilities↗2026-03-04

▶

OSV

linux-azure vulnerabilities↗2026-03-04

▶

OSV

linux-ibm, linux-ibm-6.8 vulnerabilities↗2026-02-24

▶

OSV

linux-xilinx vulnerabilities↗2026-02-24

▶

📋Vendor Advisories

Ubuntu

Linux kernel (Azure) vulnerabilities↗2026-03-25

▶

Ubuntu

Linux kernel (Azure) vulnerabilities↗2026-03-04

▶

Ubuntu

Linux kernel (Azure FIPS) vulnerabilities↗2026-03-04

▶

Ubuntu

Linux kernel (Xilinx) vulnerabilities↗2026-02-24

▶

Ubuntu

Linux kernel (IBM) vulnerabilities↗2026-02-24

▶

External resources

NVD MITRE

Affected products27

Debian Linuxfixed in linux 6.12.29-1 (forky)

Linux≥ 0b5288f5fe63eab687c14e5940b9e0d532b129f2, < ce4f77bef276e7d2eb7ab03a5d08bcbaa40710ec≥ 0b5288f5fe63eab687c14e5940b9e0d532b129f2, < 226beac5605afbb33f8782148d188b64396145a4≥ 0b5288f5fe63eab687c14e5940b9e0d532b129f2, < 42ef48dd4ebb082a1a90b5c3feeda2e68a9e32fe+2 more

Linux Kernel≥ 0, < 6.12.29-1≥ 6.5, < 6.6.90≥ 6.7, < 6.12.28+4 more

Msrc Azl3 Kernel 6.6.85.1-4 ON Azure Linux 3.0

Msrc Azl3 Kernel 6.6.92.2-1 ON Azure Linux 3.0

Msrc Azl3 Mozjs 102.15.1-1 ON Azure Linux 3.0

Msrc Azl3 Python-pip 24.2-2 ON Azure Linux 3.0

Msrc Azl3 Python-urllib3 2.0.7-1 ON Azure Linux 3.0

Msrc Azl3 Python3 3.12.3-5 ON Azure Linux 3.0

Msrc Azl3 Tensorflow 2.16.1-9 ON Azure Linux 3.0

Disclosure

PublishedMay 19, 2025

Latest updateMar 25, 2026