CVE-2025-71089
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-04-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-04-02
Generated
2026-05-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-71089
EUVD
EUVD-2026-2241
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.4 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.120 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.64 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.163 (exc)
linux linux_kernel From 5.2 (inc) to 5.15.200 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to privilege escalation or data corruption on affected Linux systems. An attacker could exploit stale IOMMU page table entries to gain unauthorized access to physical memory or escalate their privileges, potentially compromising system security and stability.


Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel's IOMMU Shared Virtual Addressing (SVA) feature on x86 architectures. The IOMMU hardware caches kernel page table entries, but the kernel lacks a mechanism to notify the IOMMU when these page tables are freed and reused. As a result, the IOMMU may hold stale entries, leading to use-after-free or write-after-free conditions. This can allow an attacker to cause privilege escalation or data corruption by making the IOMMU walk into attacker-controlled memory, potentially enabling arbitrary physical memory DMA access. The fix disables SVA on x86 until a safe notification mechanism is implemented to invalidate IOMMU caches before page reuse.


What immediate steps should I take to mitigate this vulnerability?

Disable Shared Virtual Addressing (SVA) on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. This prevents the IOMMU from caching stale kernel page table entries that could lead to use-after-free or write-after-free conditions and potential privilege escalation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart