Listen to this Post
The vulnerability exists in the i40e network driver within the Linux kernel. The issue occurs in a tracepoint assigned to the NAPI poll function. The problematic code uses the `get_cpu()` function to retrieve the current CPU number without a corresponding `put_cpu()` call. `get_cpu()` disables kernel preemption and increments a per-CPU preempt_count variable to prevent task migration. Normally, `put_cpu()` would later re-enable preemption and decrement this count. However, because the tracepoint assignment lacks put_cpu(), the preemption counter becomes unbalanced. When a softirq (specifically NET_RX) triggers the tracepoint, the system enters with a preempt_count value but exits with a higher value. This leak is evident in kernel log messages like: softirq: huh, entered softirq 3 NET_RX with preempt_count 00000100, exited with 00000101. The leak causes kernel instability and potential denial of service. The fix replaces the unsafe `get_cpu()` usage with smp_processor_id(), which simply reads the current CPU number without altering preemption state. This vulnerability was introduced over three years ago and remained unnoticed until recently. The issue affects all Linux kernel versions that include the i40e driver with the defective tracepoint. Systems with Intel network adapters using the i40e driver are particularly exposed. Local users can trigger the tracepoint to cause the preempt count leak, leading to softirq warnings and system degradation. The vulnerability does not allow privilege escalation but can reliably cause denial of service.
Platform: Linux Kernel
Version: Specific vulnerable
Vulnerability: Preempt count leak
Severity: High
date: 2026-03-25
Prediction: Patch 2026-03-25
What Undercode Say:
Check current kernel version uname -r Enable i40e tracepoint to trigger leak (requires root) echo 1 > /sys/kernel/debug/tracing/events/i40e/i40e_clean_tx_irq/enable Monitor preempt count changes in real-time cat /proc/softirqs | grep NET_RX Simulate network traffic to trigger NAPI poll ping -f target_ip Check kernel logs for preempt count warnings dmesg | grep "preempt_count" Apply patch by updating kernel (example for Debian/Ubuntu) sudo apt update && sudo apt install linux-image-$(uname -r) Verify fixed kernel version (6.12.77 or later) uname -r | grep -E "6.12.77|6.18.17|6.19.7|7.0"
Exploit:
Local user triggers i40e tracepoint causing preempt leak and kernel warnings.
Protection from this CVE:
Update to kernel 6.12.77+, 6.18.17+, or 6.19.7+; or apply i40e patch.
Impact:
Softirq warnings, preempt imbalance, and denial of service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

