Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
CVE-2025-39911: Intel Ethernet Driver in Linux Kernel: Potential Data Corruption
CVE-2025-39911
Summary
A bug in the Intel Ethernet driver in the Linux kernel could cause data corruption if a specific error occurs. This issue has been fixed in a recent update, so it's essential to apply the latest kernel patches to prevent potential data corruption. This affects systems using the i40e driver, particularly those with network-intensive applications.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| linux | linux_kernel |
>= 3.13, < 5.4.300 >= 5.5, < 5.10.245 >= 5.11, < 5.15.194 >= 5.16, < 6.1.153 >= 6.2, < 6.6.107 >= 6.7, < 6.12.48 >= 6.13, < 6.16.8 6.17 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| debian | debian_linux |
11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
Original title
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
If request_irq() in i40e_vsi_request_irq_msix() fails in an itera...
Original description
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration
later than the first, the error path wants to free the IRQs requested
so far. However, it uses the wrong dev_id argument for free_irq(), so
it does not free the IRQs correctly and instead triggers the warning:
Trying to free already-free IRQ 173
WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0
Modules linked in: i40e(+) [...]
CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)
Hardware name: [...]
RIP: 0010:__free_irq+0x192/0x2c0
[...]
Call Trace:
<TASK>
free_irq+0x32/0x70
i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]
i40e_vsi_request_irq+0x79/0x80 [i40e]
i40e_vsi_open+0x21f/0x2f0 [i40e]
i40e_open+0x63/0x130 [i40e]
__dev_open+0xfc/0x210
__dev_change_flags+0x1fc/0x240
netif_change_flags+0x27/0x70
do_setlink.isra.0+0x341/0xc70
rtnl_newlink+0x468/0x860
rtnetlink_rcv_msg+0x375/0x450
netlink_rcv_skb+0x5c/0x110
netlink_unicast+0x288/0x3c0
netlink_sendmsg+0x20d/0x430
____sys_sendmsg+0x3a2/0x3d0
___sys_sendmsg+0x99/0xe0
__sys_sendmsg+0x8a/0xf0
do_syscall_64+0x82/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
[...]
</TASK>
---[ end trace 0000000000000000 ]---
Use the same dev_id for free_irq() as for request_irq().
I tested this with inserting code to fail intentionally.
i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration
later than the first, the error path wants to free the IRQs requested
so far. However, it uses the wrong dev_id argument for free_irq(), so
it does not free the IRQs correctly and instead triggers the warning:
Trying to free already-free IRQ 173
WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0
Modules linked in: i40e(+) [...]
CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)
Hardware name: [...]
RIP: 0010:__free_irq+0x192/0x2c0
[...]
Call Trace:
<TASK>
free_irq+0x32/0x70
i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]
i40e_vsi_request_irq+0x79/0x80 [i40e]
i40e_vsi_open+0x21f/0x2f0 [i40e]
i40e_open+0x63/0x130 [i40e]
__dev_open+0xfc/0x210
__dev_change_flags+0x1fc/0x240
netif_change_flags+0x27/0x70
do_setlink.isra.0+0x341/0xc70
rtnl_newlink+0x468/0x860
rtnetlink_rcv_msg+0x375/0x450
netlink_rcv_skb+0x5c/0x110
netlink_unicast+0x288/0x3c0
netlink_sendmsg+0x20d/0x430
____sys_sendmsg+0x3a2/0x3d0
___sys_sendmsg+0x99/0xe0
__sys_sendmsg+0x8a/0xf0
do_syscall_64+0x82/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
[...]
</TASK>
---[ end trace 0000000000000000 ]---
Use the same dev_id for free_irq() as for request_irq().
I tested this with inserting code to fail intentionally.
nvd CVSS3.1
7.8
- https://git.kernel.org/stable/c/13ab9adef3cd386511c930a9660ae06595007f89 Patch
- https://git.kernel.org/stable/c/23431998a37764c464737b855c71a81d50992e98 Patch
- https://git.kernel.org/stable/c/6e4016c0dca53afc71e3b99e24252b63417395df Patch
- https://git.kernel.org/stable/c/915470e1b44e71d1dd07ee067276f003c3521ee3 Patch
- https://git.kernel.org/stable/c/a30afd6617c30aaa338d1dbcb1e34e7a1890085c Patch
- https://git.kernel.org/stable/c/b905b2acb3a0bbb08ad9be9984d8cdabdf827315 Patch
- https://git.kernel.org/stable/c/b9721a023df38cf44a88f2739b4cf51efd051f85 Patch
- https://git.kernel.org/stable/c/c62580674ce5feb1be4f90b5873ff3ce50e0a1db Patch
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory
Published: 1 Oct 2025 · Updated: 15 Jun 2026 · First seen: 7 Mar 2026