CVE-2025-39958: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability has been identified in the Linux kernel's IOMMU/s390 subsystem, tracked as CVE-2025-39958. The issue was discovered and disclosed on October 9, 2025, affecting the device attachment process during surprise removal scenarios. This vulnerability specifically impacts Linux systems running on s390 architecture, particularly affecting the PCI device handling mechanism (NVD).

The vulnerability occurs when a PCI device is removed with surprise hotplug, where attempts to attach the device to the default domain continue as part of tear down via iommureleasedma_ownership() or during probe via iommuprobedevice(). In these cases, zpciregisterioat() fails with a condition code indicating an invalid device handle, as the device is no longer recognized by the hypervisor. This triggers a WARNON() in _iommugroupsetdomainnofail() due to a failed attachment to the default domain (NVD, Debian Tracker).

The vulnerability has been assessed as having a low severity impact. When the device is fenced by the hypervisor, no Direct Memory Access (DMA) operations to or from memory are possible, and IOMMU translations have no effect. The issue primarily affects system stability and error handling rather than presenting direct security risks (Red Hat Security).

The vulnerability has been fixed in Linux kernel version 6.16.9-1 and later. Systems running earlier versions should upgrade to the patched version. For Debian systems, fixes are available in the 'forky' and 'sid' releases, while earlier releases remain vulnerable (Debian Tracker).