VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40160

CVE-2025-40160

Description

In the Linux kernel, the following vulnerability has been resolved:

xen/events: Return -EEXIST for bound VIRQs

Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards.

Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON().

A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don't know which per_cpu(virq_to_irq) it will be in.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel vulnerability in xen/events: find_virq() now returns -EEXIST for bound VIRQs, replacing a BUG_ON() that could crash the system.

Vulnerability

In the Linux kernel's Xen event subsystem, the function find_virq() was modified to return -EEXIST when a VIRQ (virtual IRQ) is already bound to a different CPU than requested. Previously, this condition triggered a BUG_ON(), causing a kernel panic.

Exploitation

This issue affects VIRQs that are per-domain or global (rather than per-CPU), which must initially be bound to CPU0 but can later migrate to other CPUs. If a subsequent call attempted to bind the same VIRQ to a different CPU without proper lookup, the system would crash due to the BUG_ON(). The attack surface is local; an attacker would need to be able to trigger such a binding attempt, possibly through specific Xen operations.

Impact

An attacker who can trigger this condition could cause a denial of service (system crash). The patch changes the behavior to return -EEXIST instead, allowing graceful error propagation and avoiding the fatal crash.

Mitigation

The fix has been backported to stable kernel trees as shown in references [1] and [2]. Users should update their kernels to include this patch to prevent potential crashes when binding VIRQs that have migrated off CPU0.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

4
612ef6056855
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a1e7f07ae6b5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f81db055a793
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
07ce121d93a5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.