CVE-2025-71156 Overview
A race condition vulnerability has been identified in the Linux kernel's Google Virtual Ethernet (GVE) network driver. The vulnerability occurs because interrupts are automatically enabled immediately upon request, allowing them to fire before the associated NAPI (New API) polling context is fully initialized. This timing issue can lead to system instability and potential denial of service conditions.
Critical Impact
Premature interrupt firing before NAPI context initialization can cause kernel panics and system failures, particularly affecting virtualized environments using the GVE driver.
Affected Products
- Linux kernel with GVE (Google Virtual Ethernet) driver enabled
- Google Cloud Platform virtual machines using virtio-net/GVE
- Systems utilizing GVE network interfaces
Discovery Timeline
- 2026-01-23 - CVE CVE-2025-71156 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-71156
Vulnerability Analysis
The vulnerability exists in the interrupt handling initialization sequence of the GVE network driver within the Linux kernel. The core issue is a race condition between interrupt enablement and NAPI context registration.
When the GVE driver requests interrupts, they are immediately enabled by default without waiting for the NAPI polling context to complete initialization. If an interrupt fires during this window, the kernel attempts to invoke NAPI polling functions (__napi_poll) on an incompletely initialized context, triggering failures in the network receive path.
The call trace captured during the failure demonstrates the interrupt firing during the common_interrupt handler, subsequently invoking net_rx_action and __napi_poll before the NAPI data structures are properly configured.
Root Cause
The root cause is the lack of synchronization between interrupt request/enablement and NAPI context initialization in the GVE driver. By default, the request_irq() function enables interrupts immediately upon successful registration. The GVE driver did not use the IRQF_NO_AUTOEN flag to defer interrupt enablement, creating a race window where interrupts could be delivered before the corresponding NAPI context was ready to handle them.
Attack Vector
This vulnerability is triggered through a race condition during driver initialization. The attack vector involves the timing between interrupt registration and NAPI initialization. While this is primarily an internal kernel race condition that manifests during system boot or driver module loading, it could potentially be triggered by:
- Rapid network interface bring-up/tear-down operations
- Module loading sequences that stress the initialization path
- High interrupt load conditions during driver initialization
The vulnerability can cause system instability and denial of service through kernel panics, particularly affecting virtualized workloads on Google Cloud Platform.
Detection Methods for CVE-2025-71156
Indicators of Compromise
- Kernel panic messages containing __napi_poll in the call trace during GVE driver initialization
- System crashes during boot on GCE/GCP virtual machines with GVE enabled
- Log entries showing net_rx_action failures with IRQ context traces
- Unexpected network interface failures during initialization phases
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for call traces involving __napi_poll, net_rx_action, and common_interrupt in the GVE driver context
- Implement automated kernel panic detection and analysis to identify race condition symptoms
- Review system boot logs for any network driver initialization failures
- Use kernel tracing tools (ftrace, perf) to monitor interrupt timing relative to NAPI registration
Monitoring Recommendations
- Configure kernel crash dump collection (kdump) to capture diagnostic information during failures
- Set up alerting on system reboots and kernel panic events for GVE-enabled systems
- Monitor GVE driver module loading events and correlate with system stability metrics
- Implement health checks for network interface availability during and after system initialization
How to Mitigate CVE-2025-71156
Immediate Actions Required
- Apply the latest Linux kernel patches containing the fix for the GVE driver interrupt initialization
- Schedule maintenance windows to update affected systems running on Google Cloud Platform
- Consider temporarily using alternative network drivers if GVE stability issues are observed
- Review and test kernel updates in staging environments before production deployment
Patch Information
The vulnerability has been resolved through kernel commits that modify the GVE driver to use the IRQF_NO_AUTOEN flag when requesting interrupts. This flag prevents automatic interrupt enablement, allowing the driver to explicitly enable interrupts only after NAPI context initialization is complete. The fix also ensures proper interrupt disablement during NAPI teardown.
Patches are available through the stable kernel Git repositories:
- Kernel Commit 3d970eda003441f66551a91fda16478ac0711617
- Kernel Commit 48f9277680925e1a8623d6b2c50aadb7af824ace
- Kernel Commit f5b7f49bd2377916ad57cbd1210c61196daff013
Workarounds
- If kernel updates cannot be immediately applied, consider disabling the GVE driver and using alternative network drivers where available
- Reduce interrupt load during system initialization by staggering network interface bring-up
- Implement system restart policies to recover from potential boot-time race condition failures
- Monitor for patches from your Linux distribution vendor and apply through standard package management
# Check current kernel version and GVE module status
uname -r
lsmod | grep gve
# Verify if patched kernel is available (distribution-specific)
# For Debian/Ubuntu:
apt update && apt list --upgradable | grep linux-image
# For RHEL/CentOS:
yum check-update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
