CVE-2025-71089 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
iommu: disable SVA when CONFIG_X86 is set
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption.
This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern.
Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/26/2026
The vulnerability described in CVE-2025-71089 relates to a critical flaw in the Linux kernel's IOMMU implementation, specifically within the Shared Virtual Addressing (SVA) subsystem. This issue manifests when the kernel's page table entries are freed and subsequently reallocated, creating a window where stale entries persist in the IOMMU's cache. The problem is particularly pronounced on x86 architectures where the kernel's virtual address space is mapped into the upper portion of every process's page table, enabling the IOMMU hardware to walk and cache these kernel page table entries. The vulnerability arises from the absence of a notification mechanism that would inform the IOMMU driver when kernel page table pages are freed and potentially reused, leading to a scenario where the IOMMU continues to reference outdated memory locations.
The technical flaw in this vulnerability stems from the lack of proper synchronization between the CPU's page table management and the IOMMU's cache invalidation mechanisms. When kernel page table pages are freed, they may be reallocated for other purposes including user-space mappings or other kernel data structures. However, the IOMMU hardware maintains cached entries for these freed pages, which can be interpreted as valid page table entries when the memory is reallocated. This creates both use-after-free and write-after-free conditions where the IOMMU may attempt to access or modify memory that has already been freed, potentially leading to privilege escalation or data corruption. The vulnerability is classified under CWE-416 as Use After Free and CWE-787 as Out-of-bounds Write, with potential implications for system integrity and security.
The operational impact of this vulnerability is significant as it can be exploited to gain unauthorized access to system resources and potentially escalate privileges. An attacker could manipulate the kernel's page table management to force the reuse of freed page table pages, causing the IOMMU to walk into attacker-controlled memory locations. This could enable arbitrary physical memory DMA access, allowing an attacker to read or write to any physical memory location accessible through the IOMMU. The vulnerability affects systems that utilize IOMMU SVA functionality, particularly those running on x86 architectures where kernel page tables are shared across all processes, making it a widespread concern for virtualized environments and systems with hardware-assisted virtualization.
The recommended mitigation strategy for CVE-2025-71089 involves disabling SVA functionality on x86 architectures until a proper notification mechanism can be implemented to flush the IOMMU paging cache before freeing CPU kernel page table pages. This approach aligns with the ATT&CK technique T1068 which describes the use of privilege escalation through kernel exploits, and T1543 which covers the exploitation of system services. The patch series addressing this vulnerability implements a deferred freeing mechanism for kernel page table pages, providing a safe window to notify the IOMMU to invalidate its caches before the page is reused. This solution ensures that the IOMMU hardware does not maintain stale entries for kernel page table pages, thereby preventing the described use-after-free and write-after-free conditions. Additionally, system administrators should monitor for updates that implement proper kernel page table change notifications and consider disabling IOMMU SVA functionality in environments where this vulnerability could be exploited. The vulnerability demonstrates the importance of proper cache coherency mechanisms in virtualized environments and highlights the need for comprehensive memory management synchronization between CPU and hardware accelerators.