Cyber Resilience

CVE-2025-71089

High

Published: 13 January 2026

Published
13 January 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0001 0.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71089 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-71089 is a vulnerability in the Linux kernel's Input-Output Memory Management Unit (IOMMU) Shared Virtual Addressing (SVA) feature, specifically affecting x86 architectures where CONFIG_X86 is enabled. In SVA contexts, the IOMMU hardware shares and walks the CPU's page tables, including the kernel's virtual address space mapped into every process's upper page table portion. The kernel lacks a mechanism to notify the IOMMU of kernel page table changes when pages are freed and reused, allowing the IOMMU to retain stale entries in its caches. This leads to use-after-free (UAF) or write-after-free (WAF) conditions, where the IOMMU misinterprets reallocated page data as valid page table entries, potentially enabling walks into attacker-controlled memory.

A local attacker with low privileges (PR:L) can exploit this vulnerability, which has a high attack complexity (AC:H) and requires local access (AV:L). In unprivileged SVA contexts, the IOMMU walks kernel-only page tables to leaf entries before erroring out, caching intermediate entries along the way. If those kernel page table pages are freed and reallocated, the stale IOMMU caches can trigger UAF/WAF, allowing the IOMMU to access arbitrary physical memory via direct memory access (DMA) or write Accessed and Dirty bits to freed memory. This can result in privilege escalation or data corruption, with a CVSS v3.1 base score of 7.8 (C:H/I:H/A:H/S:C).

Mitigation involves applying kernel patches from the "Fix stale IOTLB entries for kernel address space" series, including the specific commit that disables SVA on x86 architectures until the IOMMU receives proper notifications to flush paging caches before kernel page table pages are freed. Stable kernel commits such as 240cd7f2812c, 72f98ef9a4be, 7cad37e35897, b34289505180, and c2c3f1a3fd74 address this by introducing deferred freeing mechanisms and disabling the feature as an interim measure.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared…

more

Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel UAF/WAF in IOMMU SVA page table handling directly enables local exploitation for privilege escalation via arbitrary DMA/physical memory access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.2 — 5.15.200 · 5.16 — 6.1.163 · 6.2 — 6.6.120

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and patching of kernel flaws like the IOMMU SVA stale IOTLB entries leading to UAF/WAF.

prevent

Requires secure configuration settings for the Linux kernel to disable vulnerable SVA on x86 architectures, preventing stale kernel page table caching.

prevent

Provides memory protection mechanisms that mitigate use-after-free and write-after-free conditions from IOMMU access to reallocated kernel page tables.

References