CVE-2025-71156 in Linux
Summary
by MITRE • 01/23/2026
In the Linux kernel, the following vulnerability has been resolved:
gve: defer interrupt enabling until NAPI registration
Currently, interrupts are automatically enabled immediately upon request. This allows interrupt to fire before the associated NAPI context is fully initialized and cause failures like below:
[ 0.946369] Call Trace:
[ 0.946369] <IRQ>
[ 0.946369] __napi_poll+0x2a/0x1e0
[ 0.946369] net_rx_action+0x2f9/0x3f0
[ 0.946369] handle_softirqs+0xd6/0x2c0
[ 0.946369] ? handle_edge_irq+0xc1/0x1b0
[ 0.946369] __irq_exit_rcu+0xc3/0xe0
[ 0.946369] common_interrupt+0x81/0xa0
[ 0.946369] </IRQ>
[ 0.946369] <TASK>
[ 0.946369] asm_common_interrupt+0x22/0x40
[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10
Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto enablement and explicitly enable the interrupt in NAPI initialization path (and disable it during NAPI teardown).
This ensures that interrupt lifecycle is strictly coupled with readiness of NAPI context.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/17/2026
The vulnerability identified as CVE-2025-71156 resides within the Linux kernel's network driver subsystem, specifically affecting the gve (Google Virtual Ethernet) driver implementation. This issue represents a classic race condition problem where interrupt handling occurs before the associated network processing context is properly initialized. The flaw manifests during the device initialization process when the driver attempts to enable interrupts immediately upon request without ensuring that the NAPI (Network API) context has been fully established. This premature interrupt activation creates a window where hardware interrupts can be processed before the kernel's network processing infrastructure is ready to handle them, leading to potential system instability and crashes.
The technical root cause of this vulnerability stems from improper interrupt lifecycle management within the gve driver's initialization sequence. When interrupts are automatically enabled during the request phase, they can fire before the NAPI polling context has been registered and configured. The call trace provided in the vulnerability description shows the interrupt handler attempting to process network packets through the __napi_poll function, which fails because the NAPI context is not yet fully initialized. This pattern aligns with CWE-362, which describes a race condition where concurrent operations can lead to unpredictable behavior, and specifically relates to CWE-665, which addresses improper initialization of resources. The vulnerability demonstrates a fundamental flaw in the driver's interrupt management protocol where the timing of interrupt enabling and NAPI registration is not properly synchronized.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise network connectivity and overall system stability during boot processes or device reinitialization. When the interrupt fires prematurely, it can cause kernel oops or panic conditions that result in system hangs or forced reboots. Network operations may become unreliable as the driver struggles to properly handle incoming packets before the processing context is ready. The vulnerability affects systems using the gve driver, which is commonly found in virtualized environments and cloud computing platforms where Google Virtual Ethernet devices are utilized. This makes the impact particularly significant for infrastructure providers and cloud service operators who rely on stable network operations for their services. The issue also aligns with ATT&CK technique T1490, which involves denial of service through manipulation of system resources, as the vulnerability can be exploited to cause system instability.
The fix implemented for this vulnerability involves a two-pronged approach that strictly couples interrupt lifecycle management with NAPI context readiness. The solution introduces the IRQF_NO_AUTOEN flag when requesting interrupts, which prevents the automatic enabling of interrupts during the initial request phase. Instead, the driver explicitly enables interrupts only during the NAPI initialization path, ensuring that the interrupt handling mechanism is fully synchronized with the network processing infrastructure. This approach also includes disabling interrupts during NAPI teardown, creating a complete lifecycle management pattern. This mitigation strategy directly addresses the timing issue by ensuring that interrupt processing only begins when the NAPI context is fully operational, preventing the premature interrupt firing that caused the system failures. The fix represents a standard best practice for interrupt management in kernel drivers and aligns with security engineering principles that emphasize proper resource initialization and lifecycle management to prevent race conditions and timing-related vulnerabilities.