CVE-2025-40189
Description
In the Linux kernel, the following vulnerability has been resolved:
net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in lan78xx_read_raw_eeprom
Syzbot reported read of uninitialized variable BUG with following call stack.
lan78xx 8-1:1.0 (unnamed net_device) (uninitialized): EEPROM read operation timeout ===================================================== BUG: KMSAN: uninit-value in lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline] BUG: KMSAN: uninit-value in lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline] BUG: KMSAN: uninit-value in lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241 lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1095 [inline] lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline] lan78xx_reset+0x999/0x2cd0 drivers/net/usb/lan78xx.c:3241 lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766 lan78xx_probe+0x225c/0x3310 drivers/net/usb/lan78xx.c:4707
Local variable sig.i.i created at: lan78xx_read_eeprom drivers/net/usb/lan78xx.c:1092 [inline] lan78xx_init_mac_address drivers/net/usb/lan78xx.c:1937 [inline] lan78xx_reset+0x77e/0x2cd0 drivers/net/usb/lan78xx.c:3241 lan78xx_bind+0x711/0x1690 drivers/net/usb/lan78xx.c:3766
The function lan78xx_read_raw_eeprom failed to properly propagate EEPROM read timeout errors (-ETIMEDOUT). In the fallthrough path, it first attempted to restore the pin configuration for LED outputs and then returned only the status of that restore operation, discarding the original timeout error.
As a result, callers could mistakenly treat the data buffer as valid even though the EEPROM read had actually timed out with no data or partial data.
To fix this, handle errors in restoring the LED pin configuration separately. If the restore succeeds, return any prior EEPROM timeout error correctly to the caller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's lan78xx driver, a missing error propagation from EEPROM timeout leads to an uninitialized variable bug.
Vulnerability
Description
In the Linux kernel's lan78xx USB Ethernet driver, the function lan78xx_read_raw_eeprom fails to properly propagate a -ETIMEDOUT error from an EEPROM read timeout. When a timeout occurs, the driver attempts to restore pin configuration for LED outputs, but it returns only the status of that restore operation, discarding the original timeout error. As a result, callers such as lan78xx_init_mac_address may treat the data buffer as valid when it contains uninitialized data, leading to an uninit-value use bug [1].
Exploitation
No special privileges or network access are required to trigger this bug; it can occurrs during normal device initialization when the driver probes a Lan78xx-based USB Ethernet adapter. An attacker with physical access to the USB bus or a malicious device could potentially cause the EEPROM read to time out, leading to the use of uninitialized stack uninitialized data. The bug is reachable from the device probe path and does not require any specific authentication [1].
Impact
A local attacker able to control the USB device or cause EEPROM read failures could trigger the uninitialized variable use, potentially leading to unpredictable driver behavior, system memory corruption, or an exploitable condition. The issue manifests as a KMSAN warning and could allow an attacker to leak kernel memory or escalate privileges [1].
Mitigation
The fix, committed in kernel version 49bdb63ff644, properly handles errors in the EEPROM read function: if the restore of LED pin configuration succeeds, the original timeout error is returned rather than being overwritten. Users should update their kernel to a version containing this commit. No known workaround exists [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
2a72a7c4f675049bdb63ff644Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.