CVE-2025-39911
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong dev_id argument for free_irq(), so it does not free the IRQs correctly and instead triggers the warning: Trying to free already-free IRQ 173 WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0 Modules linked in: i40e(+) [...] CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: [...] RIP: 0010:__free_irq+0x192/0x2c0 [...] Call Trace: <TASK> free_irq+0x32/0x70 i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e] i40e_vsi_request_irq+0x79/0x80 [i40e] i40e_vsi_open+0x21f/0x2f0 [i40e] i40e_open+0x63/0x130 [i40e] __dev_open+0xfc/0x210 __dev_change_flags+0x1fc/0x240 netif_change_flags+0x27/0x70 do_setlink.isra.0+0x341/0xc70 rtnl_newlink+0x468/0x860 rtnetlink_rcv_msg+0x375/0x450 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x288/0x3c0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x3a2/0x3d0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x82/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> ---[ end trace 0000000000000000 ]--- Use the same dev_id for free_irq() as for request_irq(). I tested this with inserting code to fail intentionally.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-11-03
Generated
2026-05-06
AI Q&A
2025-10-01
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39911
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux 6.1.153-1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is in the Linux kernel's i40e network driver. When the function i40e_vsi_request_irq_msix() tries to request multiple IRQs (interrupt requests) and fails after the first one, it attempts to free the IRQs it has already requested. However, it uses the wrong device identifier (dev_id) when calling free_irq(), which causes the IRQs not to be freed correctly and triggers a kernel warning about trying to free an already freed IRQ. The fix involves using the same dev_id for free_irq() as was used for request_irq().


How can this vulnerability impact me? :

This vulnerability can cause improper freeing of IRQs in the i40e network driver, leading to kernel warnings and potentially unstable behavior in the network driver or the kernel. It may cause resource leaks or unexpected errors during network device initialization or operation, which could affect system stability or network functionality.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the system logs for the specific warning message triggered by the incorrect free_irq() call. Look for the warning: 'Trying to free already-free IRQ <number>' along with kernel warnings referencing __free_irq and the i40e module. You can use commands like 'dmesg | grep -i "Trying to free already-free IRQ"' or 'journalctl -k | grep i40e' to find such warnings in kernel logs.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the i40e driver has been fixed to use the correct dev_id argument in free_irq(). If updating immediately is not possible, monitor for the warning messages and avoid triggering the error path in i40e_vsi_request_irq_msix(), such as by limiting network interface operations that may cause IRQ request failures.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart