CVE-2025-40160: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2025-40160) was identified related to the handling of Virtual IRQs (VIRQs) in the Xen events subsystem. The issue was disclosed on November 12, 2025, affecting the Linux kernel's Xen event handling mechanism (NVD).

The vulnerability involves the find_virq() function's behavior when a VIRQ is bound to a different CPU than the one passed in. The issue occurs specifically in the xen/events subsystem where some VIRQs are per-cpu while others are per-domain or global. The per-domain and global VIRQs must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global VIRQs would fail when migrated off CPU0, especially when tracking the current CPU (NVD).

The vulnerability affects the system's handling of Virtual IRQs in Xen environments, potentially impacting the proper functioning of interrupt handling and CPU binding mechanisms. The issue particularly affects scenarios where VIRQs need to migrate between CPUs (NVD).

The fix involves removing the BUG_ON() from bind_virq_to_irq() and propagating the error upwards. The system now returns -EEXIST instead of triggering a BUG_ON() when attempting to bind a per-domain or global VIRQ that is already bound. This makes the scenario non-fatal and avoids looking up the IRQ since the location in per_cpu(virq_to_irq) is unknown (NVD).