CVE-2025-71231
Out-of-Bounds Index Vulnerability in Linux Kernel Crypto IAA
Publication date: 2026-02-18
Last updated on: 2026-03-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 6.19 (inc) to 6.19.1 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.11 (exc) |
| linux | linux_kernel | From 6.8 (inc) to 6.12.72 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's crypto iaa component. Specifically, there is an issue in the function find_empty_iaa_compression_mode where a local variable 'i' is initialized with -EINVAL but is immediately overwritten by a for loop, so -EINVAL is never returned. If no empty compression mode is found, the function returns an out-of-bounds index IAA_COMP_MODES_MAX, which leads to an invalid array access in the add_iaa_compression_mode() function.
The fix involves ensuring that the function returns either a valid index or -EINVAL, preventing the out-of-bounds access.
How can this vulnerability impact me? :
This vulnerability can cause invalid array access in the Linux kernel's crypto iaa component, which may lead to undefined behavior such as crashes or potential security issues due to memory corruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know