Live Active security incident? Get immediate response
CVE Record

CVE-2025-71087: iavf: fix off-by-one issues in iavf_config_rss_reg()

In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4 where `rss_{key,lut}_size / 4` is the number of dwords, so the last valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` accesses one element past the end. Fix the issues by using `<` instead of `<=`, ensuring we do not exceed the bounds. [1] KASAN splat about rss_key_size off-by-one BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

UnknownCVSS not scoredNot KEV-listed Updated
Discuss exposure Back to CVEs
Glexia's Take moderate

Analyst readout for executives and security teams

Plain-English summary

This is a Linux kernel driver bug in iavf network handling. A boundary mistake can read just past allocated memory and write past intended device register bounds during RSS configuration. It matters mainly for systems using the affected iavf driver. There is no cited evidence of active exploitation.

Executive priority

Treat as a targeted infrastructure maintenance item, not an emergency. Prioritize virtualization or network-heavy Linux systems using iavf, and fold remediation into the next kernel patch cycle unless vendor guidance raises urgency.

Technical view

iavf_config_rss_reg() used <= where < was required when iterating RSS hash key and lookup table dwords. The CVE notes slab out-of-bounds reads and out-of-bounds writes to device registers. Stable kernel commits correct the loop bounds. Severity and CVSS were not provided in the source bundle.

Likely exposure

Exposure is likely limited to Linux systems running affected kernel builds with the iavf driver in use. Systems not using iavf are less likely exposed. The affected-version data is incomplete, so validate against stable commits and distribution advisories.

Exploitation context

The bundle marks KEV as false and provides no cited evidence of active exploitation. The source shows a KASAN-detected crash path during iavf watchdog RSS configuration, not a demonstrated real-world attack path.

Researcher notes

Evidence supports a kernel memory-safety flaw in iavf RSS configuration. Public data lacks CVSS, exploitability analysis, and distribution-specific affected ranges. Avoid assuming impact beyond the described out-of-bounds read and device-register write.

Mitigation direction

  • Update to a Linux kernel build containing the referenced stable fixes.
  • Check your Linux distribution’s advisory for backported iavf fixes.
  • Prioritize hosts using iavf-backed network interfaces.
  • If patching is delayed, follow vendor guidance for temporary risk reduction.

Validation and detection

  • Inventory Linux hosts using the iavf driver.
  • Map running kernel builds to distro advisories or referenced stable commits.
  • Confirm the iavf RSS bounds fix is present in source or package changelog.
  • Review kernel logs for iavf or KASAN out-of-bounds indicators.
Prepared
Confidence
medium
Sources
9

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-71087 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profile CVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0 CVSS vectors
3 Timeline events
1 ADP providers
8 Source links

SSVC decision data

CISA-ADP CISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reserved CVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE published CVE Program

    The CVE record was published.

  3. CVE updated CVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADP CISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

Vendor Product Version / package Status
Linux Linux 43a3d9ba34c9ca313573201d3f45de5ab3494cec, 43a3d9ba34c9ca313573201d3f45de5ab3494cec, 43a3d9ba34c9ca313573201d3f45de5ab3494cec, 43a3d9ba34c9ca313573201d3f45de5ab3494cec, 43a3d9ba34c9ca313573201d3f45de5ab3494cec, 43a3d9ba34c9ca313573201d3f45de5ab3494cec, 43a3d9ba34c9ca313573201d3f45de5ab3494cec unaffected
Linux Linux 4.7, 0, 5.10.248, 5.15.198, 6.1.160, 6.6.120, 6.12.64, 6.18.4, 6.19 affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.