NVD

CVE-2025-71089 Detail

Modified After Enrichment

This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.

Description

In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 7.8 HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Nist CVSS score does not match with CNA score

CNA: kernel.org

Base Score: 7.8 HIGH

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9	kernel.org	Patch
https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c	kernel.org	Patch
https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985	kernel.org	Patch
https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476	kernel.org	Patch
https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4	kernel.org	Patch
https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661	kernel.org	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
NVD-CWE-noinfo	Insufficient Information	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

6 change records found show changes

CVE Modified by kernel.org 6/17/2026 6:03:38 AM

Action

Type

Old Value

New Value

Added

Affected

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/iommu/iommu-sva.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","lessThan":"b34289505180a83607fcfdce14b5a290d0528476","versionType":"git","status":"affected"},{"version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","lessThan":"7cad37e358970af1bb49030ff01f06a69fa7d985","versionType":"git","status":"affected"},{"version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","lessThan":"240cd7f2812cc25496b12063d11c823618f364e9","versionType":"git","status":"affected"},{"version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","lessThan":"c2c3f1a3fd74ef16cf115f0c558616a13a8471b4","versionType":"git","status":"affected"},{"version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","lessThan":"c341dee80b5df49a936182341b36395c831c2661","versionType":"git","status":"affected"},{"version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","lessThan":"72f98ef9a4be30d2a60136dd6faee376f780d06c","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/iommu/iommu-sva.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.2","status":"affected"},{"version":"0","lessThan":"5.2","versionType":"semver","status":"unaffected"},{"version":"5.15.200","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.163","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.64","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.4","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

Initial Analysis by NIST 2/26/2026 1:42:40 PM

Action	Type	New Value
Added	CVSS V3.1	AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE	NVD-CWE-noinfo
Added	CPE Configuration	OR cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.13 up to (excluding) 6.18.4 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.2 up to (excluding) 6.6.120 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.7 up to (excluding) 6.12.64 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.16 up to (excluding) 6.1.163 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.2 up to (excluding) 5.15.200
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661 Types: Patch

New CVE Received from kernel.org 1/13/2026 11:16:08 AM

Action	Type	New Value
Added	Description	Record truncated, showing 2048 of 2490 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel ma
Added	Reference	https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9
Added	Reference	https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c
Added	Reference	https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4
Added	Reference	https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661

Quick Info

CVE Dictionary Entry:
CVE-2025-71089
NVD Published Date:
01/13/2026
NVD Last Modified:
06/17/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2025-71089 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by CISA-ADP 6/17/2026 6:03:38 AM

CVE Modified by kernel.org 6/17/2026 6:03:38 AM

CVE Modified by kernel.org 4/02/2026 5:16:20 AM

Initial Analysis by NIST 2/26/2026 1:42:40 PM

CVE Modified by kernel.org 2/12/2026 4:16:08 AM

New CVE Received from kernel.org 1/13/2026 11:16:08 AM

Quick Info