VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 5, 2026· Updated Apr 15, 2026

CVE-2025-68760

CVE-2025-68760

Description

In the Linux kernel, the following vulnerability has been resolved:

iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show

In iommu_mmio_write(), it validates the user-provided offset with the check: iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4. This assumes a 4-byte access. However, the corresponding show handler, iommu_mmio_show(), uses readq() to perform an 8-byte (64-bit) read.

If a user provides an offset equal to mmio_phys_end - 4, the check passes, and will lead to a 4-byte out-of-bounds read.

Fix this by adjusting the boundary check to use sizeof(u64), which corresponds to the size of the readq() operation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's AMD IOMMU driver, a mismatch between write and read access sizes allows a 4-byte out-of-bounds read via debugfs.

Vulnerability

In the AMD IOMMU driver, the debugfs file iommu_mmio_show uses readq() for an 8-byte read, but the offset validation in iommu_mmio_write assumes a 4-byte access. This mismatch allows an offset at mmio_phys_end - 4 to pass validation, leading to a 4-byte out-of-bounds read [1].

Exploitation

The vulnerability is exposed through the debugfs interface, which requires local access and privileges to write to the debugfs file. An attacker with local access can trigger the out-of-bounds read by providing a crafted offset that passes the 4-byte check but exceeds the actual buffer when an 8-byte read is performed.

Impact

The out-of-bounds read could leak sensitive kernel memory or cause a system crash. The fix adjusts the boundary check to use sizeof(u64) to match the read size, preventing the OOB access.

Mitigation

The fix has been applied to the Linux kernel stable tree [1]. Users should update to a patched kernel version to mitigate this vulnerability.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.