CVE-2025-40091

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-40091
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40091.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40091
Downstream
Published
2025-10-30T09:47:59Z
Modified
2025-10-30T20:53:49.250487Z
Summary
ixgbe: fix too early devlink_free() in ixgbe_remove()
Details

In the Linux kernel, the following vulnerability has been resolved:

ixgbe: fix too early devlinkfree() in ixgberemove()

Since ixgbeadapter is embedded in devlink, calling devlinkfree() prematurely in the ixgberemove() path can lead to UAF. Move devlinkfree() to the end.

KASAN report:

BUG: KASAN: use-after-free in ixgberesetinterruptcapability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: showstack+0x30/0x90 (C) dumpstacklvl+0x9c/0xd0 printaddressdescription.constprop.0+0x90/0x310 printreport+0x104/0x1f0 kasanreport+0x88/0x180 _asanreportload8noabort+0x20/0x30 ixgberesetinterruptcapability+0x140/0x180 [ixgbe] ixgbeclearinterruptscheme+0xf8/0x130 [ixgbe] ixgberemove+0x2d0/0x8c0 [ixgbe] pcideviceremove+0xa0/0x220 deviceremove+0xb8/0x170 devicereleasedriverinternal+0x318/0x490 devicedriverdetach+0x40/0x68 unbindstore+0xec/0x118 drvattrstore+0x64/0xb8 sysfskfwrite+0xcc/0x138 kernfsfopwriteiter+0x294/0x440 newsyncwrite+0x1fc/0x588 vfswrite+0x480/0x6a0 ksyswrite+0xf0/0x1e0 _arm64syswrite+0x70/0xc0 invokesyscall.constprop.0+0xcc/0x280 el0svccommon.constprop.0+0xa8/0x248 doel0svc+0x44/0x68 el0svc+0x54/0x160 el0t64synchandler+0xa0/0xe8 el0t64_sync+0x1b0/0x1b8

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a0285236ab93fdfdd1008afaa04561d142d6c276
Fixed
df445969aa727cd64f3f29dc1f85fb60aca238d1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a0285236ab93fdfdd1008afaa04561d142d6c276
Fixed
5feef67b646d8f5064bac288e22204ffba2b9a4a

Affected versions

v6.*

v6.15
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.17.1
v6.17.2
v6.17.3
v6.17.4

Database specific

vanir_signatures

[
    {
        "id": "CVE-2025-40091-1090749d",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "317239187032405608314592137711123560767",
            "length": 1794.0
        },
        "target": {
            "file": "drivers/net/ethernet/intel/ixgbe/ixgbe_main.c",
            "function": "ixgbe_remove"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5feef67b646d8f5064bac288e22204ffba2b9a4a"
    },
    {
        "id": "CVE-2025-40091-9b441eae",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "164409940668515926976273343170529838772",
            "length": 1767.0
        },
        "target": {
            "file": "drivers/net/ethernet/intel/ixgbe/ixgbe_main.c",
            "function": "ixgbe_remove"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df445969aa727cd64f3f29dc1f85fb60aca238d1"
    },
    {
        "id": "CVE-2025-40091-a07f6779",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "56793915142209047582128001787812702564",
                "28018563781812152528485077329435508082",
                "197836945052386064850908089104070218851",
                "329716273956857677571875096673263604417",
                "161897730280381880148326779576344118356",
                "226352887296896313370071123819762291126",
                "66136638295472810631099543355017841309",
                "50907831651379354390425958346146676052"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/net/ethernet/intel/ixgbe/ixgbe_main.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df445969aa727cd64f3f29dc1f85fb60aca238d1"
    },
    {
        "id": "CVE-2025-40091-ca277e15",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "56793915142209047582128001787812702564",
                "28018563781812152528485077329435508082",
                "197836945052386064850908089104070218851",
                "329716273956857677571875096673263604417",
                "161897730280381880148326779576344118356",
                "226352887296896313370071123819762291126",
                "66136638295472810631099543355017841309",
                "50907831651379354390425958346146676052"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/net/ethernet/intel/ixgbe/ixgbe_main.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5feef67b646d8f5064bac288e22204ffba2b9a4a"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.17.5