Vulnerability in Linux Kernel's USB LAN78XX Driver
CVE-2025-40189
What is CVE-2025-40189?
The LAN78XX driver in the Linux kernel contains a vulnerability related to EEPROM read operations that can result in an uninitialized variable read. Specifically, the driver incorrectly propagates errors when EEPROM read timeouts occur, which may lead callers to erroneously assume the validity of a data buffer returned from these operations. The problem arises during the restoration of LED pin configurations, where the original timeout error is discarded. This could allow systems to operate under incorrect assumptions about the integrity of the data being processed, thereby increasing the risk of unexpected behavior or system failures. The issue has been addressed by ensuring that EEPROM read errors are handled properly, and any successful restoration of LED configurations will not mask these critical timeout errors.
Affected Version(s)
Linux 8b1b2ca83b200fa46fdfb81e80ad5fe34537e6d4
Linux 8b1b2ca83b200fa46fdfb81e80ad5fe34537e6d4 < 49bdb63ff64469a6de8ea901aef123c75be9bbe7
Linux 6.14