Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71071

CVE-2025-71071: Linux Kernel Use-After-Free Vulnerability

CVE-2025-71071 is a use-after-free flaw in the Linux Kernel's iommu/mediatek driver that occurs during probe deferral. This post covers the technical details, affected versions, potential impact, and mitigation steps.

Updated:

CVE-2025-71071 Overview

CVE-2025-71071 is a use-after-free vulnerability [CWE-416] in the Linux kernel's MediaTek IOMMU driver (iommu/mediatek). The flaw resides in the probe path, where the driver drops references taken on larb (local arbiter) devices after successful lookup as well as on error paths. When a larb device has not yet been bound to its driver, the IOMMU driver probe defers, leaving stale references that can lead to a use-after-free condition.

The issue affects multiple Linux kernel branches, including 6.19 release candidates and earlier stable trees. Local attackers with low privileges can leverage the condition to compromise kernel memory integrity.

Critical Impact

Successful exploitation can lead to kernel memory corruption, local privilege escalation, or denial of service on systems using MediaTek IOMMU hardware.

Affected Products

  • Linux Kernel 6.2 (initial introduction)
  • Linux Kernel 6.19-rc1 through 6.19-rc8
  • Linux distributions shipping the MediaTek IOMMU driver on affected SoCs

Discovery Timeline

  • 2026-01-13 - CVE-2025-71071 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71071

Vulnerability Analysis

The MediaTek IOMMU driver manages a set of larb (local arbiter) devices that participate in DMA translation for MediaTek SoC subsystems. During probe, the driver acquires device references to each larb through device lookup operations. These references are intended to remain valid while the IOMMU driver is bound.

The defective logic drops the acquired references immediately after successful lookup, and also drops them on error paths. If a larb device has not yet completed its own driver bind, the IOMMU probe returns -EPROBE_DEFER. Subsequent operations may then dereference a larb device whose backing memory has been released, producing a classic use-after-free.

Root Cause

The root cause is incorrect lifecycle management of struct device references in the IOMMU probe handler. The driver invoked the put operation on larb references it still relied on, breaking the reference-counting contract enforced by the kernel device model. The fix retains the references for the lifetime of the IOMMU driver binding.

Attack Vector

Exploitation requires local access with low privileges on a system using a vulnerable MediaTek IOMMU-equipped SoC. An attacker triggers conditions that cause repeated probe deferrals, such as module load ordering manipulation or device hot-plug sequencing. Reclaiming the freed device allocation with attacker-controlled data can produce kernel memory corruption suitable for privilege escalation.

No verified public proof-of-concept is available. Refer to the upstream commits for technical specifics on the corrected reference handling.

Detection Methods for CVE-2025-71071

Indicators of Compromise

  • Unexpected kernel oops or panic messages referencing mtk_iommu, mtk_iommu_probe, or larb device structures.
  • KASAN reports flagging use-after-free in MediaTek IOMMU code paths.
  • Repeated -EPROBE_DEFER returns from the IOMMU driver immediately followed by kernel instability.

Detection Strategies

  • Enable Kernel Address Sanitizer (KASAN) on test and pre-production builds to surface use-after-free conditions in drivers/iommu/mtk_iommu.c.
  • Audit kernel logs (dmesg, journalctl -k) for crash signatures referencing MediaTek IOMMU symbols.
  • Track kernel package versions against the patched commits to confirm exposure.

Monitoring Recommendations

  • Forward kernel ring buffer events to a centralized logging pipeline and alert on crash signatures involving IOMMU symbols.
  • Monitor for unexpected privilege escalation events on MediaTek-based devices, including unauthorized root shells or capability changes.
  • Track loaded kernel modules and probe order on affected SoCs to detect anomalous module manipulation.

How to Mitigate CVE-2025-71071

Immediate Actions Required

  • Apply the upstream stable kernel updates containing the fix as soon as distribution packages are available.
  • Inventory MediaTek SoC-based systems (Chromebooks, embedded devices, single-board computers) running affected kernel versions.
  • Restrict local access on vulnerable systems until patches are deployed.

Patch Information

The fix retains larb device references for the duration of the IOMMU driver binding instead of releasing them after lookup. Backported patches are available across multiple stable branches. See the upstream commits: Linux Kernel Commit 1ef70a0, Linux Kernel Commit 5c04217, Linux Kernel Commit 896ec55, Linux Kernel Commit de83d46, and Linux Kernel Commit f6c08d3.

Workarounds

  • Limit local shell access and disable unnecessary user accounts on affected MediaTek devices until patches are applied.
  • Where feasible, blacklist or unload the mtk_iommu module on systems that do not require MediaTek IOMMU functionality.
  • Apply strict module-loading policies via modprobe configuration to prevent untrusted manipulation of probe ordering.
bash
# Verify running kernel version and confirm patch status
uname -r

# Check whether the MediaTek IOMMU module is currently loaded
lsmod | grep mtk_iommu

# Inspect kernel log for IOMMU probe deferral or crash signatures
dmesg | grep -iE 'mtk_iommu|iommu.*defer|use-after-free'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.