CVE-2025-22065 is a vulnerability identified in the Linux kernel's idpf driver, which manages Intel Ethernet devices supporting Single Root I/O Virtualization (SR-IOV). The flaw arises during the reboot process when SR-IOV is enabled and the system attempts to remove the idpf network adapter. Specifically, the idpf driver calls its removal routine idpf_remove() twice: once via idpf_shutdown() and again when idpf_remove() calls sriov_disable(). Because the Virtual Function (VF) devices also use the idpf driver, this results in the same removal routine being invoked twice. The first call to idpf_remove() can set the adapter pointer to NULL, and the second call then dereferences this NULL pointer, causing a kernel NULL pointer dereference. This leads to a kernel crash (BUG) and system instability during reboot. The root cause is the improper cleanup sequence in the driver, which was fixed by replacing the direct call to idpf_remove() in idpf_shutdown() with calls to idpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform necessary cleanup without triggering sriov_disable() again. This prevents the double removal and the resulting NULL pointer dereference. The vulnerability affects Linux kernel versions containing the specified commit hash e850efed5e152e6bdd367d5b82019f21298c0653 and likely related versions using the idpf driver with SR-IOV enabled. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected idpf driver and SR-IOV enabled on Intel Ethernet adapters. The impact is a denial of service (DoS) condition caused by a kernel crash during reboot, which can lead to system downtime and potential disruption of critical services. This is particularly significant for data centers, cloud providers, and enterprises relying on virtualized network functions and SR-IOV for performance optimization. While the vulnerability does not directly allow for privilege escalation or remote code execution, the forced reboot failure and kernel panic can interrupt business operations and complicate system maintenance. In environments with high availability requirements, such as financial institutions, telecommunications, and critical infrastructure in Europe, this could degrade service reliability. Additionally, repeated crashes might increase the risk of data corruption or loss if systems are not properly shut down. Since the vulnerability requires SR-IOV to be enabled and affects specific hardware drivers, the scope is limited to organizations using these configurations, but those affected should prioritize patching to maintain operational stability.

European organizations should take the following specific mitigation steps: 1) Identify Linux systems using Intel Ethernet adapters managed by the idpf driver with SR-IOV enabled. This can be done by checking network interface configurations and driver versions. 2) Apply the official Linux kernel patches that address CVE-2025-22065 as soon as they become available, ensuring the updated driver replaces the vulnerable code path. 3) If immediate patching is not feasible, consider temporarily disabling SR-IOV on affected network interfaces to prevent the double removal scenario during reboot. This can be done by setting /sys/class/net/<netif>/device/sriov_numvfs to 0. 4) Implement controlled reboot procedures with monitoring to detect and respond to kernel panics caused by this issue. 5) Maintain up-to-date backups and ensure recovery plans are tested to mitigate potential data loss from unexpected crashes. 6) Monitor vendor advisories and Linux kernel mailing lists for any emerging exploit reports or additional fixes. 7) For virtualized environments, coordinate with hypervisor and hardware vendors to confirm compatibility and support for patched drivers. These targeted actions go beyond generic advice by focusing on the affected driver, SR-IOV configurations, and operational practices relevant to this vulnerability.