The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71078

CVE-2025-71078: Linux Kernel Privilege Escalation Flaw

CVE-2025-71078 is a privilege escalation vulnerability in the Linux kernel affecting PowerPC 64-bit systems using hash MMU. It causes SLB multi-hit errors during process migration. This article covers technical details, impact, and fixes.

Updated: January 22, 2026

CVE-2025-71078 Overview

CVE-2025-71078 is a kernel vulnerability in the Linux kernel's PowerPC 64-bit architecture affecting the Segment Lookaside Buffer (SLB) management during context switches. The vulnerability occurs in systems using the hash Memory Management Unit (MMU), where a software SLB preload cache mirrors entries loaded into the hardware SLB buffer. Due to improper synchronization between the hardware SLB and software preload cache during process migration between CPUs, stale SLB entries can persist and cause SLB multi-hit errors when the kernel attempts to reload evicted entries.

Critical Impact

This vulnerability can cause kernel panics due to SLB multi-hit errors when processes migrate between CPUs without proper MMU context switching, potentially leading to system instability and denial of service on PowerPC 64-bit systems.

Affected Products

  • Linux kernel on PowerPC 64-bit systems with hash MMU
  • Systems running affected kernel versions prior to the security patches

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-71078 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-71078

Vulnerability Analysis

This vulnerability stems from a race condition in the Linux kernel's PowerPC SLB management subsystem. The SLB is a hardware cache that stores segment table entries for address translation on PowerPC 64-bit systems using the hash MMU. To optimize performance, the kernel maintains a software preload cache that mirrors the hardware SLB entries.

The issue arises during context switches when the kernel skips the switch_mmu_context() function in switch_mm_irqs_off() if the previous and next mm_struct are identical. While this optimization improves performance, it creates a synchronization gap on hash MMU systems where the hardware SLB and software preload cache can become inconsistent.

When a process migrates between CPUs, if an SLB entry is evicted from the software cache on one CPU and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. Subsequently, when the kernel attempts to reload that entry through preload_new_slb_context(), it adds the entry to both the software preload cache and the hardware SLB. Since the entry was never invalidated on the destination CPU, this results in duplicate entries triggering an SLB multi-hit error.

Root Cause

The root cause is the lack of synchronization between the hardware SLB and software preload cache when processes migrate between CPUs without a full MMU context switch. The kernel's optimization to skip switch_mmu_context() when prev and next mm_struct pointers are identical does not account for the state divergence that can occur across different CPUs on hash MMU systems. Specifically, the periodic eviction of SLB entries (typically after every 256 context switches) on one CPU is not reflected in the hardware SLB state on other CPUs where the same process may subsequently execute.

Attack Vector

This is a local vulnerability that can be triggered during normal system operation when processes are migrated between CPUs by the scheduler. The conditions for triggering include:

  1. A process running on a PowerPC 64-bit system with hash MMU
  2. SLB entry eviction occurring on one CPU due to the preload cache aging mechanism
  3. The process being migrated to another CPU
  4. Context switch optimization skipping switch_mmu_context() because the mm_struct remains the same
  5. Subsequent attempt to reload the evicted SLB entry, causing a multi-hit error

The vulnerability is not directly exploitable for privilege escalation but can cause denial of service through kernel panics. The complex timing requirements and dependency on scheduler behavior make intentional exploitation difficult, though the issue can manifest during normal workloads on affected systems.

Detection Methods for CVE-2025-71078

Indicators of Compromise

  • Kernel panic messages indicating SLB multi-hit errors on PowerPC 64-bit systems
  • System instability or unexpected reboots on PowerPC servers running hash MMU configurations
  • Kernel log entries showing slb_machine_check or similar SLB-related error handlers being invoked

Detection Strategies

  • Monitor kernel logs for SLB-related error messages using dmesg or centralized log collection
  • Implement kernel crash dump analysis to identify SLB multi-hit exceptions in post-mortem analysis
  • Use performance monitoring counters on PowerPC systems to track SLB-related events and anomalies

Monitoring Recommendations

  • Enable kdump or similar crash dump mechanisms to capture kernel state during SLB errors
  • Configure alerting on kernel panic events specifically on PowerPC 64-bit systems
  • Monitor process migration patterns using scheduler tracing to identify workloads that may trigger the vulnerability

How to Mitigate CVE-2025-71078

Immediate Actions Required

  • Apply the official Linux kernel patches to systems running PowerPC 64-bit with hash MMU configurations
  • Schedule maintenance windows for kernel updates on production PowerPC servers
  • Prioritize patching for systems with high process migration rates or multi-socket configurations

Patch Information

Multiple patches have been released to address this vulnerability in the Linux kernel stable branches. The fix modifies the SLB handling logic to properly synchronize the hardware SLB and software preload cache during context switches, even when the mm_struct remains the same. Patches are available at the following kernel.org commits:

  • Linux Kernel Patch 00312419
  • Linux Kernel Patch 4ae1e46d
  • Linux Kernel Patch 895123c3
  • Linux Kernel Patch b13a3dbf
  • Linux Kernel Patch c9f86502

System administrators should update to kernel versions containing these patches through their distribution's package management system.

Workarounds

  • Consider CPU affinity settings to reduce process migration frequency as a temporary measure
  • Evaluate workload placement to minimize context switches across CPUs on critical PowerPC systems
  • Monitor system stability closely and prepare for rapid patching if SLB errors are observed
bash
# Check current kernel version on PowerPC systems
uname -r
uname -m

# Review kernel logs for SLB-related errors
dmesg | grep -i slb

# Check if system uses hash MMU (vulnerability only affects hash MMU systems)
cat /proc/cpuinfo | grep -i mmu

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Linux Kernel Patch 00312419
  • Linux Kernel Patch 4ae1e46d
  • Linux Kernel Patch 895123c3
  • Linux Kernel Patch b13a3dbf
  • Linux Kernel Patch c9f86502
  • Related CVEs
  • CVE-2026-31411: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23438: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23439: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23437: Linux Kernel Privilege Escalation Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English