Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-39969

Опубликовано: 15 окт. 2025
Источник: redhat
CVSS3: 6.5

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: fix validation of VF state in get resources VF state I40E_VF_STATE_ACTIVE is not the only state in which VF is actually active so it should not be used to determine if a VF is allowed to obtain resources. Use I40E_VF_STATE_RESOURCES_LOADED that is set only in i40e_vc_get_vf_resources_msg() and cleared during reset.

Отчет

This vulnerability can in theory be triggered by an unprivileged user with guest access to a virtual machine, since the primary issue arises when the VF driver initializes (ex. during a VM boot/reboot) and then sends a virtchnl message to the PF. Note however that this attack path is non-deterministic, as the unprivileged user does not have control over the timing of the calls that could lead to the PF to perform improper state validation.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10kernelFix deferred
Red Hat Enterprise Linux 6kernelNot affected
Red Hat Enterprise Linux 7kernelNot affected
Red Hat Enterprise Linux 7kernel-rtNot affected
Red Hat Enterprise Linux 8kernelFix deferred
Red Hat Enterprise Linux 8kernel-rtFix deferred
Red Hat Enterprise Linux 9kernelFix deferred
Red Hat Enterprise Linux 9kernel-rtFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
https://bugzilla.redhat.com/show_bug.cgi?id=2404097kernel: i40e: fix validation of VF state in get resources

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-39969

ubuntu
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: i40e: fix validation of VF state in get resources VF state I40E_VF_STATE_ACTIVE is not the only state in which VF is actually active so it should not be used to determine if a VF is allowed to obtain resources. Use I40E_VF_STATE_RESOURCES_LOADED that is set only in i40e_vc_get_vf_resources_msg() and cleared during reset.

nvd логотип

CVE-2025-39969

nvd
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: i40e: fix validation of VF state in get resources VF state I40E_VF_STATE_ACTIVE is not the only state in which VF is actually active so it should not be used to determine if a VF is allowed to obtain resources. Use I40E_VF_STATE_RESOURCES_LOADED that is set only in i40e_vc_get_vf_resources_msg() and cleared during reset.

msrc логотип

CVE-2025-39969

CVSS3: 5.5
msrc
5 месяцев назад

i40e: fix validation of VF state in get resources

debian логотип

CVE-2025-39969

debian
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: i ...

github логотип

GHSA-xxpg-m5qg-jjxh

github
5 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: i40e: fix validation of VF state in get resources VF state I40E_VF_STATE_ACTIVE is not the only state in which VF is actually active so it should not be used to determine if a VF is allowed to obtain resources. Use I40E_VF_STATE_RESOURCES_LOADED that is set only in i40e_vc_get_vf_resources_msg() and cleared during reset.

6.5 Medium

CVSS3