DEBIAN-CVE-2025-40160

DEBIAN-CVE-2025-40160 PUBLISHED CVSS 8.699999809265137 HIGH

In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON(). A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don't know which per_cpu(virq_to_irq) it will be in.

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
Debian:11	linux	5.10.158-1, 6.1.94-1, 6.1.94-1~bpo11+1
Debian:14	linux	6.16.11-1, 6.12.41-1, 6.12.43-1
Debian:12	linux	6.12.9-1+alpha, 6.12.9-1~bpo12+1, 6.12~rc6-1~exp1
Debian:13	linux	6.12.41-1, 6.12.43-1, 6.12.43-1~bpo12+1

Timeline

Nov 12, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-40160 advisory

Open in Interactive Console →