CVE-2025-39968

Vulnerability

Overview

The i40e driver for Intel Ethernet controllers in the Linux kernel lacked a maximum boundary check for the number of filters a Virtual Function (VF) can request. This oversight means that a VF could attempt to create an arbitrary number of filters without being limited by the driver, potentially exhausting kernel memory or other resources [1][2][3].

Exploitation

Exploitation

An attacker with access to a VF on a system using the i40e driver could exploit this by sending a large number of filter creation requests for filters. No special privileges beyond-VF privileges are required, as the VF itself can initiate these requests. The attack surface is limited to environments where VFs are enabled and the i40e driver is in use [1][2][3].

Impact

Successful exploitation could lead to resource exhaustion, causing denial of service (DoS) conditions for the host system or other VFs. The lack of a boundary check means the driver may allocate memory or other resources without limit, potentially crashing the system or making it unresponsive [1][2][3].

Mitigation

The fix adds a maximum boundary check for VF filters, ensuring that the driver rejects requests that exceed the allowed limit. The patch has been applied to the stable kernel tree. The patch has been applied to the stable kernel tree and is available in the referenced commits [1][2][3]. Users should update their kernels to include this fix.