CVE-2025-71202 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

iommu/sva: invalidate stale IOTLB entries for kernel address space

Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space. This interface is invoked from the x86 architecture code that manages combined user and kernel page tables, specifically before any kernel page table page is freed and reused.

This addresses the main issue with vfree() which is a common occurrence and can be triggered by unprivileged users. While this resolves the primary problem, it doesn't address some extremely rare case related to memory unplug of memory that was present as reserved memory at boot, which cannot be triggered by unprivileged users. The discussion can be found at the link below.

Enable SVA on x86 architecture since the IOMMU can now receive notification to flush the paging cache before freeing the CPU kernel page table pages.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/06/2026

The vulnerability described in CVE-2025-71202 represents a critical issue within the Linux kernel's IOMMU subsystem that affects memory management and virtualization security. This flaw specifically targets the interaction between IOMMU (Input-Output Memory Management Unit) and kernel address space management, creating potential security risks through improper handling of IOTLB (IOMMU Translation Lookaside Buffer) entries. The vulnerability stems from the kernel's inability to properly invalidate stale IOTLB entries when kernel page table pages are freed and reused, which can lead to memory corruption and potential privilege escalation attacks.

The technical implementation of this vulnerability occurs within the x86 architecture code that manages combined user and kernel page tables. When kernel page table pages are freed and subsequently reused through operations like vfree(), the system fails to properly flush the IOTLB paging cache entries associated with the kernel address space. This creates a scenario where stale translation entries remain in the IOMMU cache, potentially allowing unauthorized access to kernel memory through cached translations that no longer correspond to valid memory mappings. The issue is particularly concerning because vfree() operations are common and can be triggered by unprivileged users, making this attack vector accessible to low-privilege adversaries.

The operational impact of this vulnerability extends beyond simple memory management issues to encompass broader security implications for virtualized environments and systems utilizing IOMMU features. When combined with SVA (Shared Virtual Addressing) capabilities, this flaw can enable attackers to exploit stale IOTLB entries to gain unauthorized access to kernel memory regions, potentially leading to privilege escalation or information disclosure. The vulnerability affects systems where IOMMU is enabled and SVA is active, particularly impacting x86 architectures that support combined user and kernel page table management. The fix addresses the primary concern but leaves open a rare edge case involving memory unplug operations on reserved memory at boot time, which cannot be triggered by unprivileged users.

The mitigation strategy for this vulnerability involves implementing a new IOMMU interface that explicitly flushes IOTLB paging cache entries for the CPU kernel address space before freeing kernel page table pages. This approach directly addresses the core issue by ensuring that stale translation entries are properly invalidated when kernel memory is freed and reused. The solution specifically targets the x86 architecture code and enables SVA functionality since the IOMMU can now receive proper notifications to flush paging cache entries before kernel page table pages are freed. This implementation aligns with CWE-121, which addresses buffer overflow conditions, and follows ATT&CK tactics related to privilege escalation and defense evasion. The fix ensures that memory management operations maintain proper cache coherency between kernel memory mappings and IOMMU translation tables, preventing potential exploitation through stale cache entries.

This vulnerability demonstrates the complexity of modern memory management systems and their interaction with hardware security features. The resolution requires careful coordination between kernel memory management subsystems and IOMMU hardware interfaces, highlighting the importance of proper cache invalidation procedures in virtualized environments. The fix represents a defensive programming approach that prevents potential exploitation by ensuring proper memory state transitions, particularly when kernel memory is freed and reallocated. The security implications extend to systems using IOMMU for device isolation, where stale translation entries could potentially allow device drivers or malicious code to access unauthorized kernel memory regions through cached translations.

Responsible

Linux

Reservation

01/31/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00108

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!