CVE-2025-40330

Vulnerability

Overview

In the Linux kernel's bnxt_en driver for Broadcom NetXtreme Ethernet devices, the bnxt_shutdown() function calls netif_close() to stop packet DMA but fails to halt firmware (FW) DMA operations used for trace logging. This leaves active DMA channels that can corrupt memory when the system performs a kexecs into a new kernel, leading to potential data integrity issues or system crashes [1].

Exploitation

Context

An attacker with physical access or the ability to trigger a kexec reboot on a system using the affected bnxt_en driver. No authentication is required beyond the ability to initiate a kexec transition. The vulnerability is triggered during the shutdown path, where the driver does not properly quiesce all DMA activity before the kernel is replaced [1].

Impact

An attacker who can force a kexec reboot (e.g., through a crafted shutdown sequence) could cause the FW to write to freed or reallocated memory in the new kernel, potentially leading to arbitrary memory corruption. This could lead to denial of service or, in some scenarios, privilege escalation if the corruption affects critical kernel structures [1].

Mitigation

The fix adds a call to bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the firmware, stopping FW DMA. If that call fails, the driver falls back to pcie_flr() to reset the PCIe function and halt DMA. The patch has been merged into the stable kernel tree [1]. Users should apply the update from their distribution [1].