CVE-2025-71089
Description
In the Linux kernel, the following vulnerability has been resolved:
iommu: disable SVA when CONFIG_X86 is set
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption.
This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern.
Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel disables IOMMU SVA on x86 to prevent stale IOTLB entries from causing use-after-free or privilege escalation.
Vulnerability
Overview
CVE-2025-71089 addresses a security flaw in the Linux kernel's IOMMU Shared Virtual Addressing (SVA) implementation on x86 architectures. The root cause is that when SVA is enabled, the IOMMU hardware shares and caches kernel page table entries. The kernel currently lacks a notification mechanism for kernel page table changes, so when a page table page is freed and reallocated, the IOMMU may retain stale entries. This can lead to the IOMMU walking into attacker-controlled memory, enabling use-after-free (UAF) or write-after-free (WAF) conditions [1][2].
Exploitation and
Impact
An attacker with unprivileged access to an SVA context could potentially exploit this by causing kernel page table pages to be freed and reallocated. The IOMMU might then misinterpret reallocated data as valid page table entries, allowing arbitrary physical memory DMA access or privilege escalation. Additionally, the IOMMU may continue to write Accessed and Dirty bits to freed memory, exacerbating the issue [3][4].
Mitigation
The fix disables SVA when CONFIG_X86 is set, preventing the IOMMU from caching kernel page table entries on x86 systems. A deferred freeing mechanism for kernel page table pages is also introduced to provide a safe window for IOMMU cache invalidation before page reuse [1][2]. Users should apply the latest kernel patches to mitigate this vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9nvdPatch
- git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06cnvdPatch
- git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985nvdPatch
- git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476nvdPatch
- git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4nvdPatch
- git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661nvdPatch
News mentions
0No linked articles in our index yet.