CVE-2025-40219

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel had a synchronization issue related to SR-IOV (Single Root I/O Virtualization) enabling and disabling. Specifically, the sriov disable() function lacked proper locking mechanisms when removing PCI devices representing Virtual Functions (VFs). This lack of locking could lead to double removal and list corruption, particularly observed on s390 systems. The issue stemmed from the absence of serialization against concurrent remove and rescan operations using the pci rescan remove lock. The problem was exacerbated by the interaction with hot-unplug events generated by the platform, which could race with the VF removal process. The fix involves adding the missing locking to the sriov del vfs() helper function and ensuring proper locking in sriov add vfs() as well, including error cases.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.