Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access with low privileges required to trigger VF interrupt path; no confidentiality or integrity impact; availability impact is high due to potential VF NIC failure.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
net: libwx: use request_irq for VF misc interrupt
Currently, request_threaded_irq() is used with a primary handler but a NULL threaded handler, while also setting the IRQF_ONESHOT flag. This specific combination triggers a WARNING since the commit aef30c8d569c ("genirq: Warn about using IRQF_ONESHOT without a threaded handler").
WARNING: kernel/irq/manage.c:1502 at __setup_irq+0x4fa/0x760
Fix the issue by switching to request_irq(), which is the appropriate interface or a non-threaded interrupt handler, and removing the unnecessary IRQF_ONESHOT flag.
AnalysisAI
Improper interrupt registration in the Linux kernel's libwx network driver causes a kernel WARNING when VF (Virtual Function) misc interrupts are initialized, resulting in high availability impact on affected systems. The libwx driver incorrectly calls request_threaded_irq() with a primary handler, a NULL threaded handler, and the IRQF_ONESHOT flag - an invalid combination flagged as a WARNING by the kernel interrupt management subsystem since commit aef30c8d569c. Exploitation requires local access with low privileges on a system equipped with a Wangxun VF NIC using the libwx driver; no public exploit code exists and EPSS is negligible at 0.02%.
Technical ContextAI
The libwx module is the Linux kernel driver for Wangxun (WX-series) network adapters. The bug resides in how VF (SR-IOV Virtual Function) misc interrupt handlers are registered. The kernel interrupt management API mandates that IRQF_ONESHOT - which defers re-enabling the interrupt line until the threaded handler completes - must only be paired with a non-NULL threaded handler. Using request_threaded_irq() with a real primary handler, a NULL thread_fn, and IRQF_ONESHOT was made explicitly illegal by commit aef30c8d569c ('genirq: Warn about using IRQF_ONESHOT without a threaded handler'), which emits a WARN_ON at kernel/irq/manage.c:1502. The correct fix is request_irq(), the standard synchronous interrupt registration call, with IRQF_ONESHOT removed. No CWE is assigned in the input data; the root cause is best classified as improper use of a kernel API (analogous to CWE-628: Function Call with Incorrectly Specified Arguments).
RemediationAI
Update the Linux kernel to a version containing the libwx VF interrupt fix: 6.18.30, 7.0.7, or 7.1-rc3 (or later). The upstream fix commits are confirmed at https://git.kernel.org/stable/c/1bca036fe3607182c21f05e2b262167edbef086c, https://git.kernel.org/stable/c/a841574c6e573132681aa57f9b43a0a897a423f6, and https://git.kernel.org/stable/c/7a33345153eeeda195c55f15be27074e4c3b5109. As a compensating control, operators who cannot immediately patch may disable SR-IOV VF instantiation on Wangxun NICs to prevent the libwx VF misc interrupt code path from executing; this eliminates the trigger but also disables VF NIC functionality. No confidentiality or integrity risk warrants emergency patching - normal patching cycles are appropriate unless SR-IOV NIC availability is operationally critical.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35163
GHSA-vgg8-63wp-8qqp