So far I've heard three different (but related) theories that seem plausible, as far as my limited knowledge of the hardware goes.
1) The e1000e driver leaves the EEPROM mmio area mapped read-write. Then a rogue pointer from another kernel subsystem leads to tickling the control registers in a way that corrupts the EEPROM, or overwrites the mapped EEPROM data directly.
2) Same thing but with the X server somehow creating its own rw mapping of the mmio area (since the kernel's mapping should not be valid for a user process). Then a rogue pointer into that area.....
3) A wild DMA into the mmio area. This may be the nastiest possibility, since DMA writes may not respect the permissions on the mapping (could write through a mapping that is read-only for the cpu) unless there is an IOMMU involved.
These all lead to the natural thoughts, "Why would you design hardware where this can happen?" and "Is this issue lurking in other drivers for devices with EEPROMs?"