CVE-2025-22128: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel was discovered and documented as CVE-2025-22128, specifically affecting the wifi ath12k driver's IRQ handling. The issue was disclosed on April 16, 2025, and involves improper cleanup of IRQ affinity hints during error handling in the ath12k PCI driver (NVD Database).

The vulnerability occurs when a shared IRQ is used by the driver due to platform limitations. The IRQ affinity hint is set after allocating IRQ vectors in ath12kpcimsi_alloc(), but if IRQ allocation fails, the affinity hint isn't properly cleared before freeing the IRQ. This results in a warning from the IRQ core when it expects the affinity hint to be cleared. The issue has been assigned a CVSS v3.1 base score of 5.5 with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat XML).

The vulnerability has been classified with a Low severity rating. While it primarily affects system stability by triggering kernel warnings, it does not pose significant security risks in terms of confidentiality or integrity. The CVSS scoring indicates potential high impact on availability, but only through local access (Red Hat XML).

The issue has been fixed by clearing the IRQ affinity hint before calling ath12kpcifree_irq() in the error path. Various Linux distributions have responded differently: Debian Bookworm and Bullseye have been marked as 'not affected', while Red Hat Enterprise Linux 9 has deferred the fix for both kernel and kernel-rt packages (Debian Tracker, Red Hat XML).