CVE-2025-39971

Vulnerability

CVE-2025-39971 is a vulnerability in the Linux kernel's i40e network driver. The issue resides in the i40e_vc_config_queues_msg() function, which handles a virtual channel message from a Virtual Function (VF) to configure its queues. The function iterating index idx over the vf->ch[] array was not validated to ensure it stays within the range of active or initialized Traffic Classes (TCs). This missing bounds check can lead to an out-of-bounds array access [1].

Exploitation

An attacker with the ability to send crafted virtual channel messages from a VF to the Physical Function (PF) driver can trigger this vulnerability. The VF must be able to specify a TC index that exceeds the number of initialized TCs. No special privileges beyond VF access are required, and the attack can be performed from within a guest VM using the i40e VF driver.

Impact

Successful exploitation could cause a denial of service (system crash or memory corruption) due to the out-of-bounds access. In some cases, it might lead to information disclosure or potentially aiding further attacks. The vulnerability does not require authentication from the VF perspective, as the VF driver is trusted model is not involved.

Mitigation

The fix was applied in the Linux kernel stable tree, with commits backported to various stable versions [2][3]. Users should update to a patched kernel version. No workaround is available other than applying the kernel patch.