CVE-2025-71089 (GCVE-0-2025-71089)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
Title
iommu: disable SVA when CONFIG_X86 is set
Summary
In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 240cd7f2812cc25496b12063d11c823618f364e9 (git)
Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 (git)
Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c341dee80b5df49a936182341b36395c831c2661 (git)
Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 72f98ef9a4be30d2a60136dd6faee376f780d06c (git)
Create a notification for this product.
    Linux Linux Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.4 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommu-sva.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "240cd7f2812cc25496b12063d11c823618f364e9",
              "status": "affected",
              "version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
              "versionType": "git"
            },
            {
              "lessThan": "c2c3f1a3fd74ef16cf115f0c558616a13a8471b4",
              "status": "affected",
              "version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
              "versionType": "git"
            },
            {
              "lessThan": "c341dee80b5df49a936182341b36395c831c2661",
              "status": "affected",
              "version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
              "versionType": "git"
            },
            {
              "lessThan": "72f98ef9a4be30d2a60136dd6faee376f780d06c",
              "status": "affected",
              "version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommu-sva.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.4",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA).  In an SVA context, an IOMMU can cache kernel\npage table entries.  When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries.  This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU\u0027s page tables.  The x86 architecture maps the\nkernel\u0027s virtual address space into the upper portion of every process\u0027s\npage table.  Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings.  This can cause the IOMMU\u0027s internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated.  The IOMMU could\nmisinterpret the new data as valid page table entries.  The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation.  This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings.  However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out.  This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-13T15:34:51.079Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661"
        },
        {
          "url": "https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c"
        }
      ],
      "title": "iommu: disable SVA when CONFIG_X86 is set",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71089",
    "datePublished": "2026-01-13T15:34:51.079Z",
    "dateReserved": "2026-01-13T15:30:19.649Z",
    "dateUpdated": "2026-01-13T15:34:51.079Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71089\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-13T16:16:08.583\",\"lastModified\":\"2026-01-13T16:16:08.583\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: disable SVA when CONFIG_X86 is set\\n\\nPatch series \\\"Fix stale IOTLB entries for kernel address space\\\", v7.\\n\\nThis proposes a fix for a security vulnerability related to IOMMU Shared\\nVirtual Addressing (SVA).  In an SVA context, an IOMMU can cache kernel\\npage table entries.  When a kernel page table page is freed and\\nreallocated for another purpose, the IOMMU might still hold stale,\\nincorrect entries.  This can be exploited to cause a use-after-free or\\nwrite-after-free condition, potentially leading to privilege escalation or\\ndata corruption.\\n\\nThis solution introduces a deferred freeing mechanism for kernel page\\ntable pages, which provides a safe window to notify the IOMMU to\\ninvalidate its caches before the page is reused.\\n\\n\\nThis patch (of 8):\\n\\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\\nshares and walks the CPU\u0027s page tables.  The x86 architecture maps the\\nkernel\u0027s virtual address space into the upper portion of every process\u0027s\\npage table.  Consequently, in an SVA context, the IOMMU hardware can walk\\nand cache kernel page table entries.\\n\\nThe Linux kernel currently lacks a notification mechanism for kernel page\\ntable changes, specifically when page table pages are freed and reused. \\nThe IOMMU driver is only notified of changes to user virtual address\\nmappings.  This can cause the IOMMU\u0027s internal caches to retain stale\\nentries for kernel VA.\\n\\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\\nkernel page table pages are freed and later reallocated.  The IOMMU could\\nmisinterpret the new data as valid page table entries.  The IOMMU might\\nthen walk into attacker-controlled memory, leading to arbitrary physical\\nmemory DMA access or privilege escalation.  This is also a\\nWrite-After-Free issue, as the IOMMU will potentially continue to write\\nAccessed and Dirty bits to the freed memory while attempting to walk the\\nstale page tables.\\n\\nCurrently, SVA contexts are unprivileged and cannot access kernel\\nmappings.  However, the IOMMU will still walk kernel-only page tables all\\nthe way down to the leaf entries, where it realizes the mapping is for the\\nkernel and errors out.  This means the IOMMU still caches these\\nintermediate page table entries, making the described vulnerability a real\\nconcern.\\n\\nDisable SVA on x86 architecture until the IOMMU can receive notification\\nto flush the paging cache before freeing the CPU kernel page table pages.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.