From 721384e32d02a6429aec325614ce4dcf586b5969 Mon Sep 17 00:00:00 2001
From: anolis-bot <zy_chao@163.com>
Date: Thu, 22 May 2025 19:48:26 +0800
Subject: [PATCH] create cve CVE-2025-37989

---
 data/cve/CVE-2025-37989.json | 71 ++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 data/cve/CVE-2025-37989.json

diff --git a/data/cve/CVE-2025-37989.json b/data/cve/CVE-2025-37989.json
new file mode 100644
index 0000000000..475735cfd9
--- /dev/null
+++ b/data/cve/CVE-2025-37989.json
@@ -0,0 +1,71 @@
+{
+    "id": 28193,
+    "cve_id": "CVE-2025-37989",
+    "creator": null,
+    "publisher": "cve-center",
+    "publish_third_party_token": "cve-center",
+    "publish_date": "2025-05-21 02:15:45",
+    "cvss": {
+        "nvd_cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
+        "openanolis_cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    },
+    "product": [
+        {
+            "product_id": 6,
+            "name_version": "Anolis OS 7",
+            "product_package_info": {
+                "src": [
+                    {
+                        "rpm_name": "kernel:4.19",
+                        "rpm_status": "out_scope"
+                    }
+                ]
+            }
+        },
+        {
+            "product_id": 5,
+            "name_version": "Anolis OS 8",
+            "product_package_info": {
+                "src": [
+                    {
+                        "rpm_name": "kernel:5.10",
+                        "rpm_status": "not_fix"
+                    }
+                ]
+            }
+        },
+        {
+            "product_id": 7,
+            "name_version": "Anolis OS 23",
+            "product_package_info": {
+                "src": [
+                    {
+                        "rpm_name": "kernel:6.6",
+                        "rpm_status": "unaffected"
+                    }
+                ]
+            }
+        }
+    ],
+    "affected_packages": [
+        "kernel:6.6",
+        "kernel:5.10",
+        "kernel:4.19"
+    ],
+    "score": 5.5,
+    "severity": "Moderate",
+    "status": 1,
+    "source": "Mitre",
+    "cve_source_link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37989",
+    "abstract": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: leds: fix memory leak\n\nA network restart test on a router led to an out-of-memory condition,\nwhich was traced to a memory leak in the PHY LED trigger code.\n\nThe root cause is misuse of the devm API. The registration function\n(phy_led_triggers_register) is called from phy_attach_direct, not\nphy_probe, and the unregister function (phy_led_triggers_unregister)\nis called from phy_detach, not phy_remove. This means the register and\nunregister functions can be called multiple times for the same PHY\ndevice, but devm-allocated memory is not freed until the driver is\nunbound.\n\nThis also prevents kmemleak from detecting the leak, as the devm API\ninternally stores the allocated pointer.\n\nFix this by replacing devm_kzalloc/devm_kcalloc with standard\nkzalloc/kcalloc, and add the corresponding kfree calls in the unregister\npath.",
+    "description": null,
+    "issue": null,
+    "acknowledgements": null,
+    "acknowledgements_en": null,
+    "reference": null,
+    "diagnose": null,
+    "statement": null,
+    "mitigation": null,
+    "update_user": null,
+    "errata": []
+}
\ No newline at end of file
-- 
Gitee