CVE-2025-71161 in Linux
Summary
by MITRE • 01/23/2026
In the Linux kernel, the following vulnerability has been resolved:
dm-verity: disable recursive forward error correction
There are two problems with the recursive correction:
1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. Red Hat QE team actually created an image that pushes dm-verity to this limit - and this image just makes the udev-worker process get stuck in the 'D' state.
2. It doesn't work. In fec_read_bufs we store data into the variable "fio->bufs", but fio bufs is shared between recursive invocations, if "verity_hash_for_block" invoked correction recursively, it would overwrite partially filled fio->bufs.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/17/2026
The vulnerability CVE-2025-71161 represents a critical flaw in the Linux kernel's device mapper verity implementation that affects the handling of forward error correction mechanisms. This issue specifically targets the dm-verity subsystem which provides transparent integrity checking for block devices, commonly used in Android and other systems to ensure data integrity and prevent tampering. The vulnerability stems from improper handling of recursive forward error correction operations within the verity hash verification process, creating both denial-of-service conditions and functional failures in the integrity verification system.
The technical implementation flaw manifests in two distinct but interconnected problems that compound the security risk. The first issue involves an excessive iteration loop in the fec_read_bufs function that can potentially execute up to 253^4 operations, creating a computational explosion that can overwhelm system resources and cause the udev-worker process to become unresponsive in the uninterruptible D state. This represents a classic denial-of-service vulnerability where malicious input can cause system instability and resource exhaustion. The second problem involves a critical data corruption issue where shared buffers between recursive function calls become overwritten, rendering the forward error correction mechanism completely non-functional. This buffer management flaw means that even when the system attempts to correct errors through forward error correction, the process fails entirely due to data overwrites in shared memory structures.
The operational impact of this vulnerability extends beyond simple system instability to compromise the fundamental integrity protection mechanisms that dm-verity provides. When the forward error correction fails, the system cannot properly validate data integrity, potentially allowing corrupted data to be accepted as valid. The denial-of-service aspect creates a persistent threat where system resources become consumed and processes become unresponsive, effectively disabling the integrity verification capabilities of affected systems. This vulnerability affects Linux distributions that utilize dm-verity for system integrity protection, particularly those implementing Android-style security models where device mapper verity is commonly deployed to protect boot partitions and system images from tampering.
The mitigation strategies for this vulnerability must address both the immediate denial-of-service threat and the functional failure of the forward error correction mechanism. The recommended solution involves disabling the recursive forward error correction functionality entirely, which eliminates the computational explosion risk while maintaining basic integrity checking capabilities. System administrators should ensure that affected kernel versions are updated to patches that remove the recursive correction logic and implement proper buffer isolation between function calls. This approach aligns with the principle of least privilege and defense in depth, ensuring that the integrity verification system remains functional without exposing the system to computational resource exhaustion attacks. Organizations should also implement monitoring for unusual udev-worker process behavior and system resource consumption patterns that might indicate exploitation attempts. The vulnerability demonstrates the importance of careful recursive function design and proper resource management in kernel space code, as highlighted by CWE-674 which addresses Uncontrolled Recursion and CWE-129 which covers Improper Validation of Array Index. From an ATT&CK perspective, this vulnerability maps to T1499.004 (Endpoint Denial of Service) and T1566.002 (Phishing via Social Engineering) as it could be exploited through crafted malicious images designed to trigger the denial-of-service condition.