CVE-2025-71087 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
iavf: fix off-by-one issues in iavf_config_rss_reg()
There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds
writes to device registers.
Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
which is safe since the value is the last valid index.
That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4
where `rss_{key,lut}_size / 4` is the number of dwords, so the last
valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
accesses one element past the end.
Fix the issues by using `<` instead of `<=`, ensuring we do not exceed the bounds.
[1] KASAN splat about rss_key_size off-by-one
BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 </TASK>
Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134)
The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/31/2026
The vulnerability described in CVE-2025-71087 affects the Linux kernel's iavf driver, specifically within the iavf_config_rss_reg() function. This issue stems from improper loop boundary handling when configuring RSS (Receive Side Scaling) hash keys and lookup tables, leading to out-of-bounds memory accesses. The flaw manifests as both read and write operations that extend beyond allocated memory regions or device register boundaries, creating potential for system instability or exploitation.
The root cause lies in a change introduced by commit 43a3d9ba34c9 which altered the loop bounds for RSS configuration. Previously, the code used inclusive upper bounds based on maximum index values that were safe. However, the updated implementation incorrectly calculates the loop limit as the number of dwords rather than the last valid index, causing an off-by-one error. This results in accessing one element beyond the allocated buffer, triggering kernel memory safety violations.
The technical impact is severe as demonstrated by the KASAN (Kernel Address Sanitizer) report which shows a slab-out-of-bounds read operation. The error occurs during execution of iavf_watchdog_task, where a worker thread attempts to configure RSS settings. Memory allocation details reveal that the accessed address ff ff888102c50134 falls exactly one byte beyond the allocated 52-byte region, indicating clear boundary violation. This type of memory corruption can lead to system crashes, data corruption, or potentially privilege escalation depending on exploitation vector.
This vulnerability maps directly to CWE-129, which covers improper validation of array index bounds, and aligns with ATT&CK technique T1068, which involves exploiting local privilege escalation through kernel vulnerabilities. The flaw affects systems using Intel's iavf driver for virtual functions, particularly those implementing RSS for network traffic distribution. The vulnerability exists in kernel versions prior to the fix, making it critical for system administrators to apply patches promptly. The out-of-bounds write to device registers poses additional risk as it could corrupt hardware state or enable further exploitation.
Mitigation strategies include immediate kernel updates containing the fix that changes loop comparison operators from <= to <, ensuring proper boundary validation. System administrators should also implement monitoring for suspicious kernel memory access patterns and consider disabling RSS functionality temporarily if immediate patching is not feasible. Additionally, network segmentation and access controls can help reduce potential exploitation impact, while regular security audits should verify proper kernel versioning across all systems. The fix ensures that the loop operates only within valid memory ranges, eliminating both read and write violations that could compromise system integrity or security posture.