Cyber Resilience

CVE-2025-71071

High

Published: 13 January 2026

Published
13 January 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71071 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-71071 is a use-after-free vulnerability in the MediaTek IOMMU driver within the Linux kernel. The issue arises during driver probe when references to LARB devices, taken during successful lookup, are prematurely dropped both after success and on errors. This can lead to a use-after-free if a LARB device has not yet been bound to its driver, causing the IOMMU driver probe to defer. The vulnerability is classified under CWE-416 and was published on 2026-01-13.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base score 7.8). Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise within the kernel context.

Mitigation requires applying the upstream Linux kernel patches from the stable repository. Key fixes include commits such as 1ef70a0b104ae8011811f60bcfaa55ff49385171, 5c04217d06a1161aaf36267e9d971ab6f847d5a7, 896ec55da3b90bdb9fc04fedc17ad8c359b2eee5, de83d4617f9fe059623e97acf7e1e10d209625b5, and f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a, which ensure references to LARB devices are retained while the IOMMU driver remains bound.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially…

more

lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in IOMMU driver directly enables exploitation for privilege escalation to achieve arbitrary code execution and full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19, 6.2 · 6.0.16 — 6.1 · 6.1.2 — 6.1.160 · 6.2.1 — 6.6.120

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the use-after-free vulnerability in the MediaTek IOMMU driver by applying the upstream Linux kernel patches.

prevent

Kernel memory protections mitigate exploitation of the use-after-free by preventing unauthorized access, modification, or execution of freed LARB device reference memory.

detect

Vulnerability scanning and monitoring identify the presence of CVE-2025-71071 in deployed Linux kernels to enable proactive patching.

References