CVE-2025-71087 Overview
CVE-2025-71087 is an off-by-one vulnerability in the Linux kernel's Intel Adaptive Virtual Function (iavf) network driver, specifically within the iavf_config_rss_reg() function. The vulnerability causes out-of-bounds reads to memory and out-of-bounds writes to device registers when configuring RSS (Receive Side Scaling) hash key and lookup table settings.
Critical Impact
This off-by-one bug in the iavf network driver can lead to out-of-bounds memory access, potentially causing kernel memory corruption, system instability, or privilege escalation in virtualized network environments.
Affected Products
- Linux kernel with iavf (Intel Adaptive Virtual Function) driver
- Systems utilizing Intel virtual function network adapters with RSS configuration
- Virtualized environments using Intel NIC virtual functions
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71087 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71087
Vulnerability Analysis
The vulnerability resides in the iavf_config_rss_reg() function within the iavf driver, which is responsible for configuring Receive Side Scaling (RSS) on Intel Adaptive Virtual Function network interfaces. RSS is a feature that distributes incoming network traffic across multiple CPU cores for improved performance.
The flaw was introduced by commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), which changed the loop boundary conditions when iterating through RSS hash key and lookup table registers. The original code safely used the maximum valid index constants (I40E_VFQF_HKEY_MAX_INDEX and I40E_VFQF_HLUT_MAX_INDEX) as upper bounds.
After the problematic commit, the loop bounds were changed to use calculated values based on adapter->rss_key_size / 4 and adapter->rss_lut_size / 4. Since these values represent the total count of dwords rather than the last valid index, using the <= comparison operator causes the loop to access one element beyond the allocated buffer.
Root Cause
The root cause is an incorrect boundary comparison in the RSS configuration loop. When iterating through RSS configuration arrays, the code uses i <= adapter->rss_{key,lut}_size / 4 where the division result represents the total number of dwords. The correct comparison should be i < adapter->rss_{key,lut}_size / 4 since array indices are zero-based and the last valid index is (size / 4) - 1.
This classic off-by-one error causes the loop to execute one additional iteration, reading memory past the end of the allocated rss_key buffer and writing to device registers beyond the intended range. The KASAN (Kernel Address Sanitizer) report indicates a 4-byte out-of-bounds read at the boundary of a 52-byte allocated region.
Attack Vector
The vulnerability is triggered during the iavf watchdog task execution when RSS configuration is being applied. While direct remote exploitation is limited, the vulnerability can be triggered by:
- Modifying RSS configuration parameters on systems with Intel virtual function network adapters
- During driver initialization or reconfiguration in virtualized environments
- Kernel worker threads processing iavf configuration changes
The out-of-bounds memory access could potentially leak sensitive kernel memory or corrupt adjacent memory regions, depending on the memory layout at exploitation time.
The fix involves changing the loop comparison operators from <= to < to ensure the loop terminates before accessing invalid memory addresses. Multiple kernel commit patches have been released to address this issue across different stable kernel branches.
Detection Methods for CVE-2025-71087
Indicators of Compromise
- KASAN splat messages in kernel logs indicating "slab-out-of-bounds" errors in iavf_config_rss function
- Kernel panic or oops messages related to the iavf driver during network configuration
- Unexpected memory corruption symptoms when using Intel virtual function network adapters
- System instability or crashes during RSS configuration changes on affected systems
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in development or testing environments to detect out-of-bounds memory accesses
- Monitor kernel logs (dmesg) for iavf driver-related error messages or memory access violations
- Deploy SentinelOne Singularity for Linux to detect anomalous kernel behavior and memory corruption attempts
- Implement kernel log monitoring for patterns matching "BUG: KASAN" combined with "iavf" driver references
Monitoring Recommendations
- Configure centralized logging to capture and alert on kernel memory access violations
- Implement automated scanning to identify systems running vulnerable kernel versions with iavf driver loaded
- Monitor virtual network function configurations for unexpected changes or error conditions
- Use SentinelOne's behavioral AI to detect exploitation attempts targeting kernel memory vulnerabilities
How to Mitigate CVE-2025-71087
Immediate Actions Required
- Update Linux kernel to a patched version containing the off-by-one fix
- Check if the iavf driver module is loaded on affected systems using lsmod | grep iavf
- Review kernel logs for any evidence of exploitation attempts
- Prioritize patching for systems utilizing Intel virtual function network adapters in production environments
Patch Information
Multiple kernel patches have been released to address this vulnerability. The fix involves changing the loop comparison from <= to < in the iavf_config_rss_reg() function to prevent out-of-bounds access.
Available patches:
- Linux Kernel Commit 18de0e4
- Linux Kernel Commit 3095228
- Linux Kernel Commit 6daa289
- Linux Kernel Commit d7369dc
- Linux Kernel Commit f36de30
Workarounds
- If immediate patching is not possible, consider disabling the iavf driver module if the Intel virtual function functionality is not required
- Restrict access to network configuration interfaces on affected systems
- Monitor systems closely for kernel instability or memory corruption symptoms until patches can be applied
- Consider using alternative network drivers if available for your hardware configuration
# Check if iavf driver is loaded
lsmod | grep iavf
# View current kernel version
uname -r
# Check for KASAN messages in kernel log
dmesg | grep -i kasan
# Temporarily unload iavf driver (if not in use)
# Warning: This will disconnect the associated network interface
sudo modprobe -r iavf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
