CVE-2025-71078
Published: 13 January 2026
Summary
CVE-2025-71078 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-71078 affects the Linux kernel's powerpc/64s SLB (Segment Lookaside Buffer) management on systems using the hash MMU. The vulnerability stems from inconsistencies between the hardware SLB buffer and a software preload cache that mirrors its entries. This cache undergoes periodic eviction, typically after 256 context switches. The kernel optimizes performance by skipping switch_mmu_context() in switch_mm_irqs_off() when the previous and next mm_struct are identical. However, on hash MMU systems, this optimization can leave stale SLB entries in hardware when a process migrates between CPUs without a full MMU context switch, leading to an SLB multi-hit error upon reload attempts.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation requires scenarios involving process execution, such as load_elf_binary during execve, combined with context switches, task migrations via sched_migrate_task, and SLB preload operations across CPUs. This can desynchronize the hardware SLB and software cache, triggering a multi-hit error and enabling high impacts on confidentiality, integrity, and availability.
Mitigation requires updating to a patched Linux kernel version incorporating the fixes from the stable branch commits. Key patches include: https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6, https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57, https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2, https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8, and https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37. These address the SLB multihit issue during preload by ensuring proper synchronization.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2265
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB…
more
buffer. This preload cache is subject to periodic eviction — typically after every 256 context switches — to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. However, on hash MMU systems, this can lead to inconsistencies between the hardware SLB and the software preload cache. If an SLB entry for a process is evicted from the software cache on one CPU, and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. If the kernel then attempts to reload that entry, it can trigger an SLB multi-hit error. The following timeline shows how stale SLB entries are created and can cause a multi-hit error when a process moves between CPUs without a MMU context switch. CPU 0 CPU 1 ----- ----- Process P exec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */ context_switch sched_migrate_task migrates process P to cpu-1 Process swapper/0 context switch (to process P) (uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues... setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0 context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don't call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */ load_elf_binary cont ---truncated---
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel vulnerability enabling privilege escalation via SLB desync and multi-hit errors during process migration/exec.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, prioritization, and remediation of kernel flaws like CVE-2025-71078 through patching to prevent SLB multihit errors.
Vulnerability scanning and monitoring identify systems running unpatched Linux kernels on powerpc/64s hash MMU vulnerable to the SLB inconsistency.
Enforces and monitors secure configuration settings for the Linux kernel, including patched versions that resolve the SLB preload multihit issue.