CVE-2025-39901

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The i40e driver in the Linux kernel contains a flaw related to debugfs files ('command' and 'netdev ops'). These files expose a debugging interface with questionable logic and potential for information disclosure. Specifically, the 'netdev ops' file could allow reading beyond the bounds of an allocated buffer due to the use of snprintf and a lack of proper locking mechanisms when handling simultaneous writes from multiple devices. The 'command' file also uses a static buffer, wasting space and potentially leading to memory access issues. The issue stems from the read handlers in these debugfs files, which use static buffers and lack adequate protection against overflows. The vulnerability could be exploited by carefully crafting command input to cause snprintf to truncate, leading to out-of-bounds reads during copy to user. The 'command' file is susceptible to similar issues, although the risk is lower due to the static buffer always being zero.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.