{"api_version":"1","generated_at":"2026-04-23T03:26:28+00:00","cve":"CVE-2025-71089","urls":{"html":"https://cve.report/CVE-2025-71089","api":"https://cve.report/api/cve/CVE-2025-71089.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-71089","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-71089"},"summary":{"title":"iommu: disable SVA when CONFIG_X86 is set","description":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA).  In an SVA context, an IOMMU can cache kernel\npage table entries.  When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries.  This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU's page tables.  The x86 architecture maps the\nkernel's virtual address space into the upper portion of every process's\npage table.  Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings.  This can cause the IOMMU's internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated.  The IOMMU could\nmisinterpret the new data as valid page table entries.  The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation.  This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings.  However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out.  This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-01-13 16:16:08","updated_at":"2026-04-02 09:16:20"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661","name":"https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9","name":"https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4","name":"https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c","name":"https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476","name":"https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985","name":"https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-71089","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71089","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 26b25a2b98e45aeb40eedcedc586ad5034cbd984 b34289505180a83607fcfdce14b5a290d0528476 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 26b25a2b98e45aeb40eedcedc586ad5034cbd984 7cad37e358970af1bb49030ff01f06a69fa7d985 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 26b25a2b98e45aeb40eedcedc586ad5034cbd984 240cd7f2812cc25496b12063d11c823618f364e9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 26b25a2b98e45aeb40eedcedc586ad5034cbd984 c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 26b25a2b98e45aeb40eedcedc586ad5034cbd984 c341dee80b5df49a936182341b36395c831c2661 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 26b25a2b98e45aeb40eedcedc586ad5034cbd984 72f98ef9a4be30d2a60136dd6faee376f780d06c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.2","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.200 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.163 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.120 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.64 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.4 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"71089","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/iommu/iommu-sva.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"b34289505180a83607fcfdce14b5a290d0528476","status":"affected","version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","versionType":"git"},{"lessThan":"7cad37e358970af1bb49030ff01f06a69fa7d985","status":"affected","version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","versionType":"git"},{"lessThan":"240cd7f2812cc25496b12063d11c823618f364e9","status":"affected","version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","versionType":"git"},{"lessThan":"c2c3f1a3fd74ef16cf115f0c558616a13a8471b4","status":"affected","version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","versionType":"git"},{"lessThan":"c341dee80b5df49a936182341b36395c831c2661","status":"affected","version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","versionType":"git"},{"lessThan":"72f98ef9a4be30d2a60136dd6faee376f780d06c","status":"affected","version":"26b25a2b98e45aeb40eedcedc586ad5034cbd984","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/iommu/iommu-sva.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.2"},{"lessThan":"5.2","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.200","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.163","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.120","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.64","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.19","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.200","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.163","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.120","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.64","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.4","versionStartIncluding":"5.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19","versionStartIncluding":"5.2","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA).  In an SVA context, an IOMMU can cache kernel\npage table entries.  When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries.  This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU's page tables.  The x86 architecture maps the\nkernel's virtual address space into the upper portion of every process's\npage table.  Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings.  This can cause the IOMMU's internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated.  The IOMMU could\nmisinterpret the new data as valid page table entries.  The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation.  This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings.  However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out.  This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages."}],"metrics":[{"cvssV3_1":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-04-02T08:39:37.445Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476"},{"url":"https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985"},{"url":"https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9"},{"url":"https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4"},{"url":"https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661"},{"url":"https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c"}],"title":"iommu: disable SVA when CONFIG_X86 is set","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-71089","datePublished":"2026-01-13T15:34:51.079Z","dateReserved":"2026-01-13T15:30:19.649Z","dateUpdated":"2026-04-02T08:39:37.445Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-01-13 16:16:08","lastModifiedDate":"2026-04-02 09:16:20","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.1,"impactScore":6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.15.200","matchCriteriaId":"E5B74AED-8F4D-46D6-9567-2309ADEA5E74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.163","matchCriteriaId":"E9C856E1-4308-4C0B-A973-7DD375DF66C4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.120","matchCriteriaId":"43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.64","matchCriteriaId":"32BF4A52-377C-44ED-B5E6-7EA5D896E98B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.4","matchCriteriaId":"DC988EA0-0E32-457A-BF95-89BEB31A227B"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"71089","Ordinal":"1","Title":"iommu: disable SVA when CONFIG_X86 is set","CVE":"CVE-2025-71089","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"71089","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA).  In an SVA context, an IOMMU can cache kernel\npage table entries.  When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries.  This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU's page tables.  The x86 architecture maps the\nkernel's virtual address space into the upper portion of every process's\npage table.  Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings.  This can cause the IOMMU's internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated.  The IOMMU could\nmisinterpret the new data as valid page table entries.  The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation.  This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings.  However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out.  This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages.","Type":"Description","Title":"iommu: disable SVA when CONFIG_X86 is set"}]}}}