Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71087

CVE-2025-71087: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71087 is a buffer overflow vulnerability in the Linux Kernel iavf driver that causes out-of-bounds memory reads and register writes. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-71087 Overview

CVE-2025-71087 is an off-by-one vulnerability in the Linux kernel's Intel Adaptive Virtual Function (iavf) network driver. The flaw resides in the iavf_config_rss_reg() function, which configures the Receive Side Scaling (RSS) hash key and lookup table. Incorrect loop bounds cause out-of-bounds reads from kernel slab memory and out-of-bounds writes to device registers. The issue was detected by KASAN as a slab-out-of-bounds read in the kmalloc-64 cache during the iavf_watchdog_task workqueue execution. The vulnerability is classified under [CWE-193] Off-by-one Error and affects systems using Intel virtual function network interfaces.

Critical Impact

A local low-privileged actor can trigger out-of-bounds memory access and corrupt device register state, resulting in kernel instability and denial of service on hosts using the iavf driver.

Affected Products

  • Linux kernel 4.7 and later branches containing commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
  • Linux kernel 6.19 release candidates rc1 through rc8
  • Systems using the Intel Adaptive Virtual Function (iavf) driver for SR-IOV networking

Discovery Timeline

  • 2026-01-13 - CVE-2025-71087 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71087

Vulnerability Analysis

The vulnerability stems from incorrect loop termination conditions in iavf_config_rss_reg(). Prior to commit 43a3d9ba34c9, loops iterated with i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX, where the macro represented the last valid index. That commit changed the upper bound to i <= adapter->rss_{key,lut}_size / 4. Because rss_{key,lut}_size / 4 represents the total dword count, the last valid index is (rss_{key,lut}_size / 4) - 1. Using <= therefore reads one element past the end of the allocated buffer and writes one register past the valid range.

KASAN confirms the issue with a slab-out-of-bounds read of size 4 at offset 0 immediately following a 52-byte allocation in the kmalloc-64 cache. The trace originates from iavf_config_rss+0x619 invoked through iavf_watchdog_task. The fix replaces <= with < to ensure loop indices remain within allocated bounds.

Root Cause

The root cause is a classic off-by-one error introduced when refactoring loop bounds from a fixed-index macro to a size-derived count. The developer retained the <= comparison operator that was correct for the last-valid-index semantic but incorrect for the count-of-elements semantic. The error spans both the RSS hash key buffer (heap-allocated) and the RSS lookup table writes (memory-mapped device registers).

Attack Vector

Exploitation requires local access with low privileges sufficient to trigger RSS reconfiguration on an iavf-managed virtual function. The attack does not require user interaction. The result is kernel memory disclosure adjacent to the RSS key allocation and writes to one extra device register beyond the intended RSS lookup table range, which can destabilize the network device or the kernel. There is no confidentiality or integrity impact recorded for user data, but availability is high because the kernel may panic or the device may enter an inconsistent state.

No verified proof-of-concept code is publicly available. The vulnerability mechanism is documented in the upstream kernel patch series referenced under Kernel Git Commit Update.

Detection Methods for CVE-2025-71087

Indicators of Compromise

  • KASAN reports containing BUG: KASAN: slab-out-of-bounds in iavf_config_rss in kernel logs.
  • Unexpected kernel oops or warnings traced through iavf_watchdog_task and iavf_config_rss.
  • Anomalous resets or link flaps on iavf-managed virtual function interfaces correlated with RSS reconfiguration events.

Detection Strategies

  • Enable KASAN on test or canary kernels to surface out-of-bounds reads in the iavf driver before deployment.
  • Audit running kernel versions and the loaded iavf module against the patched stable branches listed in the vendor advisory.
  • Correlate dmesg output for stack traces referencing iavf_config_rss followed by process_one_work and worker_thread frames.

Monitoring Recommendations

  • Forward kernel ring buffer logs from Linux hosts to a centralized telemetry pipeline and alert on KASAN, iavf, and slab-out-of-bounds strings.
  • Track virtual function NIC health metrics such as link state transitions, reset counters, and queue stalls on hypervisors using SR-IOV.
  • Monitor process and workqueue telemetry on Linux endpoints to identify kernel crashes originating from networking workqueues.

How to Mitigate CVE-2025-71087

Immediate Actions Required

  • Apply the upstream Linux kernel patches that change the loop condition in iavf_config_rss_reg() from <= to < for both the RSS key and lookup table loops.
  • Reboot affected hosts after installing the patched kernel package from your distribution to load the corrected iavf module.
  • Restrict local access on systems using Intel SR-IOV networking until patched kernels are deployed.

Patch Information

The fix is available across multiple stable kernel branches. See the upstream commits: stable commit 18de0e41, stable commit 3095228e, stable commit 5bb18bfd, stable commit 6daa2893, stable commit ceb8459d, stable commit d7369dc8, and stable commit f36de304. Consume the patches through your distribution's kernel update channel rather than building from source where possible.

Workarounds

  • Unload the iavf module on hosts that do not require Intel virtual function networking using modprobe -r iavf.
  • Avoid runtime RSS reconfiguration on iavf interfaces via ethtool -X until the patched kernel is installed.
  • Where SR-IOV is not required, fall back to the physical function driver or a non-affected NIC to eliminate exposure to the vulnerable code path.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.