CVE-2025-71089

EUVD-2026-2241

13.01.2026, 16:16

In the Linux kernel, the following vulnerability has been resolved:

iommu: disable SVA when CONFIG_X86 is set

Patch series "Fix stale IOTLB entries for kernel address space", v7.

This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.

This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.

This patch (of 8):

In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.

The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.

Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.

Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.

Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.2 ≤ 𝑥 < 5.15.200
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.163
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.120
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.64
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
forky	7.0.9-1 fixed
sid	7.0.10-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed

dlm-kmp-default

suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed

gfs2-kmp-default

suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.194.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.27.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.27.1 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.194.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1.150700.17.21.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1.150700.17.21.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.194.1.150400.24.98.3 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1.150500.6.67.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1.150600.12.40.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1.150700.17.21.1 fixed

kernel-docs

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.194.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-macros

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.194.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.194.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.194.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-source-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.27.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.27.1 fixed

kernel-syms

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.194.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.27.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.27.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.194.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

ocfs2-kmp-default

suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP4	5.14.21-150400.24.194.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.136.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.87.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

kernel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-debug-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-64k-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-abi-stablelists

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-debug-uki-virt

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-doc

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-debug-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-64k-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-debug-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-rt-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-tools

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-tools-libs

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-tools-libs-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-uki-virt

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-uki-virt-addons

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-devel

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-modules

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-modules-core

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

kernel-zfcpdump-modules-extra

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

libperf

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

perf

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

python3-perf

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

rtla

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

RHEL 9

0:5.14.0-687.12.1.el9_8

fixed

References

https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9

https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c

https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985

https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476

https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4

https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661