LiveActive security incident?Get immediate response
CVE Record

CVE-2025-71089: iommu: disable SVA when CONFIG_X86 is set

In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages.

HighCVSS 7.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2025-71089 is a Linux kernel flaw involving IOMMU Shared Virtual Addressing on x86. Stale IOMMU cache entries may let a local, low-privileged attacker corrupt memory or escalate privileges. The kernel fix direction is to disable SVA on x86 until safer invalidation exists.

Executive priority

Treat as high priority for shared Linux infrastructure, virtualization hosts, developer systems, and multi-user servers. It is not currently evidenced as internet-exploitable or actively exploited, but the potential impact is privilege escalation and memory corruption on affected x86 Linux systems.

Technical view

In x86 SVA contexts, the IOMMU can walk and cache kernel page-table entries. Linux did not notify the IOMMU when kernel page-table pages were freed and reused, creating stale IOTLB entries. This can lead to use-after-free or write-after-free behavior, arbitrary physical DMA access, privilege escalation, or data corruption.

Likely exposure

Exposure appears limited to Linux systems on x86 using IOMMU SVA. Attack prerequisites are local access, low privileges, no user interaction, and high complexity. The affected-version data in the provided record is not fully clear, so kernel vendor mapping should be verified.

Exploitation context

No active exploitation is stated in the provided sources, and the CVE is not marked KEV. The issue is serious because successful exploitation could cross privilege boundaries and affect confidentiality, integrity, and availability, but it requires local conditions and specific kernel/IOMMU behavior.

Researcher notes

The public record describes an architectural SVA issue and references stable kernel commits. Affected-version representation in the provided bundle is ambiguous. Avoid assuming all Linux deployments are affected; validate CONFIG_X86, IOMMU/SVA use, and distribution backports against vendor guidance.

Mitigation direction

  • Review Linux vendor advisories for your distribution’s fixed kernel packages.
  • Apply stable kernel updates containing the referenced fixes when available.
  • If vendor-supported, disable SVA on x86 systems until patched.
  • Prioritize systems allowing untrusted local users or workloads.

Validation and detection

  • Inventory Linux kernel versions across x86 systems.
  • Identify systems with IOMMU and SVA capability or use.
  • Compare installed kernels against vendor advisories and referenced stable commits.
  • Confirm patched kernels or vendor-recommended SVA disablement are in place.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Privilege behavior lookup

The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-71089 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H1.16Linux

Vulnerability scoring details

Base CVSS 3.1 score

7.8High
CVSS 3.1 vector shape for CVE-2025-71089Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux26b25a2b98e45aeb40eedcedc586ad5034cbd984, 26b25a2b98e45aeb40eedcedc586ad5034cbd984, 26b25a2b98e45aeb40eedcedc586ad5034cbd984, 26b25a2b98e45aeb40eedcedc586ad5034cbd984, 26b25a2b98e45aeb40eedcedc586ad5034cbd984, 26b25a2b98e45aeb40eedcedc586ad5034cbd984unaffected
LinuxLinux5.2, 0, 5.15.200, 6.1.163, 6.6.120, 6.12.64, 6.18.4, 6.19affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.