Linux Kernel up to 6.1.159/6.6.119/6.12.63/6.18.3 switch_mmu_context buffer overflow
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.7 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.1.159/6.6.119/6.12.63/6.18.3. Affected is the function switch_mmu_context. The manipulation leads to buffer overflow.
This vulnerability is documented as CVE-2025-71078. There is not any exploit available.
It is advisable to upgrade the affected component.
Details
A vulnerability was found in Linux Kernel up to 6.1.159/6.6.119/6.12.63/6.18.3 and classified as critical. This issue affects the function switch_mmu_context. The manipulation with an unknown input leads to a buffer overflow vulnerability. Using CWE to declare the problem leads to CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction — typically after every 256 context switches — to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. However, on hash MMU systems, this can lead to inconsistencies between the hardware SLB and the software preload cache. If an SLB entry for a process is evicted from the software cache on one CPU, and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. If the kernel then attempts to reload that entry, it can trigger an SLB multi-hit error. The following timeline shows how stale SLB entries are created and can cause a multi-hit error when a process moves between CPUs without a MMU context switch. CPU 0 CPU 1 ----- ----- Process P exec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */ context_switch sched_migrate_task migrates process P to cpu-1 Process swapper/0 context switch (to process P) (uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues... setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0 context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don't call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */ load_elf_binary cont ---truncated---
It is possible to read the advisory at git.kernel.org. The identification of this vulnerability is CVE-2025-71078 since 01/13/2026. The exploitation is known to be easy. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/25/2026).
The vulnerability scanner Nessus provides a plugin with the ID 298659 (Debian dla-4476 : linux-config-6.1 - security update), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 6.1.160, 6.6.120, 6.12.64, 6.18.4 or 6.19-rc1 eliminates this vulnerability. Applying the patch c9f865022a1823d814032a09906e91e4701a35fc/b13a3dbfa196af68eae2031f209743735ad416bf/895123c309a34d2cfccf7812b41e17261a3a6f37/4ae1e46d8a290319f33f71a2710a1382ba5431e8/00312419f0863964625d6dcda8183f96849412c6 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at Tenable (298659). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
- 6.1.159
- 6.6.119
- 6.12.0
- 6.12.1
- 6.12.2
- 6.12.3
- 6.12.4
- 6.12.5
- 6.12.6
- 6.12.7
- 6.12.8
- 6.12.9
- 6.12.10
- 6.12.11
- 6.12.12
- 6.12.13
- 6.12.14
- 6.12.15
- 6.12.16
- 6.12.17
- 6.12.18
- 6.12.19
- 6.12.20
- 6.12.21
- 6.12.22
- 6.12.23
- 6.12.24
- 6.12.25
- 6.12.26
- 6.12.27
- 6.12.28
- 6.12.29
- 6.12.30
- 6.12.31
- 6.12.32
- 6.12.33
- 6.12.34
- 6.12.35
- 6.12.36
- 6.12.37
- 6.12.38
- 6.12.39
- 6.12.40
- 6.12.41
- 6.12.42
- 6.12.43
- 6.12.44
- 6.12.45
- 6.12.46
- 6.12.47
- 6.12.48
- 6.12.49
- 6.12.50
- 6.12.51
- 6.12.52
- 6.12.53
- 6.12.54
- 6.12.55
- 6.12.56
- 6.12.57
- 6.12.58
- 6.12.59
- 6.12.60
- 6.12.61
- 6.12.62
- 6.12.63
- 6.18.0
- 6.18.1
- 6.18.2
- 6.18.3
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.9VulDB Meta Temp Score: 7.7
VulDB Base Score: 8.0
VulDB Temp Score: 7.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Buffer overflowCWE: CWE-120 / CWE-119
CAPEC: 🔒
ATT&CK: 🔒
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 298659
Nessus Name: Debian dla-4476 : linux-config-6.1 - security update
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Kernel 6.1.160/6.6.120/6.12.64/6.18.4/6.19-rc1
Patch: c9f865022a1823d814032a09906e91e4701a35fc/b13a3dbfa196af68eae2031f209743735ad416bf/895123c309a34d2cfccf7812b41e17261a3a6f37/4ae1e46d8a290319f33f71a2710a1382ba5431e8/00312419f0863964625d6dcda8183f96849412c6
Timeline
01/13/2026 Advisory disclosed01/13/2026 CVE reserved
01/13/2026 VulDB entry created
03/25/2026 VulDB entry last update
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2025-71078 (🔒)
GCVE (CVE): GCVE-0-2025-71078
GCVE (VulDB): GCVE-100-340691
Entry
Created: 01/13/2026 18:02Updated: 03/25/2026 20:55
Changes: 01/13/2026 18:02 (58), 02/16/2026 14:08 (2), 03/25/2026 20:55 (11)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.