CVE-2025-40219
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI/IOV: Fix race between SR-IOV enable/disable and hotplug
Commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV") tried to fix a race between the VF removal inside sriov_del_vfs() and concurrent hot unplug by taking the PCI rescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock was also taken in sriov_add_vfs() to protect addition of VFs.
This approach however causes deadlock on trying to remove PFs with SR-IOV enabled because PFs disable SR-IOV during removal and this removal happens under the PCI rescan/remove lock. So the original fix had to be reverted.
Instead of taking the PCI rescan/remove lock in sriov_add_vfs() and sriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs hotplug higher up in the callchain by taking the lock in sriov_numvfs_store() before calling into the driver's sriov_configure() callback.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a race condition in PCI/IOV between SR-IOV enable/disable and hotplug was fixed by moving lock acquisition to prevent deadlock.
Vulnerability
Analysis
CVE-2025-40219 describes a race condition in the Linux kernel's PCI/IOV subsystem. The bug occurs between SR-IOV enable/disable operations and hot plug events. A previous fix attempt (commit 05703271c3cd) took the PCI rescan-remove lock in sriov_del_vfs() and sriov_add_vfs(), but this caused a deadlock when removing a PF with SR-IOV enabled because PF removal already holds that lock.
Exploitation
The race can be triggered by an attacker with local access who can concurrently initiate SR-IOV configuration changes (e.g., writing to sriov_numvfs) and hot unplug or hot add events. No special privileges beyond the ability to manage PCI devices are required, though the attack surface is limited to systems with SR-IOV capable hardware.
Impact
A successful exploit may lead to use-after-free or other memory corruption, resulting in system crashes or potential privilege escalation. The exact impact depends on the driver and hardware, but the vulnerability is classified with a CVSS score indicating moderate severity.
Mitigation
The fix is included in Linux kernel stable updates. It moves the lock acquisition from sriov_add_vfs() and sriov_del_vfs() to sriov_numvfs_store(), acquiring the PCI rescan-remove lock before calling the driver's sriov_configure() callback. Users should apply the latest kernel patches to mitigate this vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
85c1cd7d405e91e8a80290f96a645ca21de09a2421917245636039348bca753154cd40ccfee40e5db052d05703271c3cdVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/1047ca2d816994f31e1475e63e0c0b7825599747nvd
- git.kernel.org/stable/c/3cddde484471c602bea04e6f384819d336a1ff84nvd
- git.kernel.org/stable/c/7c37920c96b85ef4255a7acc795e99e63dd38d59nvd
- git.kernel.org/stable/c/97c18f074ff1c12d016a0753072a3afdfa0b9611nvd
- git.kernel.org/stable/c/a5338e365c4559d7b4d7356116b0eb95b12e08d5nvd
- git.kernel.org/stable/c/bea1d373098b22d7142da48750ce5526096425bcnvd
- git.kernel.org/stable/c/d7673ac466eca37ec3e6b7cc9ccdb06de3304e9bnvd
- git.kernel.org/stable/c/f3015627b6e9ddf85cfeaf42405b3c194dde2c36nvd
News mentions
0No linked articles in our index yet.