CVE-2025-71095 Overview
CVE-2025-71095 is a memory type confusion vulnerability in the Linux kernel's stmmac network driver that causes a kernel crash when executing zero copy XDP_TX actions. The vulnerability occurs because the stmmac_xdp_xmit_back() function fails to properly check the memory type of xdp_buff structures, leading to invalid DMA mappings and kernel panics.
Critical Impact
This vulnerability can cause a complete kernel panic and system crash during XDP packet processing operations, resulting in denial of service conditions on affected Linux systems.
Affected Products
- Linux kernel with stmmac network driver
- Systems using XDP (eXpress Data Path) with zero copy mode
- Linux kernel versions prior to the security patches
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71095 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71095
Vulnerability Analysis
The vulnerability exists in the stmmac network driver's handling of XDP_TX actions when operating in zero copy mode. When an XDP program returns an XDP_TX action, the driver converts the xdp_buff structure to an xdp_frame using xdp_convert_buff_to_frame(). The resulting xdp_frame inherits its memory type from the source xdp_buff.
For page pool-based xdp_buff structures, the resulting xdp_frame has memory type MEM_TYPE_PAGE_POOL. However, for zero copy XSK (AF_XDP socket) pool-based xdp_buff structures, the resulting xdp_frame has memory type MEM_TYPE_PAGE_ORDER0. The critical flaw is that stmmac_xdp_xmit_back() does not check the actual memory type and unconditionally treats all frames as page pool type, leading to invalid DMA synchronization operations.
This memory type confusion causes the kernel to attempt DMA operations on invalid memory addresses, as evidenced by the crash attempting to access virtual address fffeffff80000000, resulting in a fatal kernel panic during interrupt handling.
Root Cause
The root cause is missing memory type validation in the stmmac_xdp_xmit_back() function. The function assumes all xdp_frame structures originate from page pool allocations and uses page pool-specific DMA synchronization routines. When processing frames from XSK zero copy buffers with MEM_TYPE_PAGE_ORDER0, the incorrect memory handling path is taken, causing invalid pointer dereferences during DMA cache operations in dcache_clean_poc and __dma_sync_single_for_device.
Attack Vector
The vulnerability is triggered through normal XDP packet processing operations when using AF_XDP sockets in zero copy mode. The attack vector requires local access to configure XDP programs and AF_XDP sockets on the affected network interface. The crash occurs during the NAPI poll routine when the driver attempts to transmit packets via XDP_TX action.
The crash trace shows the failure path:
- stmmac_napi_poll_rxtx processes received packets
- __stmmac_xdp_run_prog executes the XDP program returning XDP_TX
- stmmac_xdp_xmit_xdpf attempts to transmit the frame
- __dma_sync_single_for_device fails during DMA synchronization
- dcache_clean_poc triggers the fatal page fault
Detection Methods for CVE-2025-71095
Indicators of Compromise
- Kernel panic messages containing "Unable to handle kernel paging request" with addresses in the fffeffff80000000 range
- Crash traces showing stmmac_xdp_xmit_xdpf and __dma_sync_single_for_device in the call stack
- System instability when running XDP programs with AF_XDP zero copy mode on stmmac network interfaces
Detection Strategies
- Monitor kernel logs for oops messages referencing dcache_clean_poc or __dma_sync_single_for_device
- Implement crash dump analysis to identify stmmac XDP-related kernel panics
- Track XDP program usage on systems with stmmac network drivers
Monitoring Recommendations
- Enable kernel crash dumps to capture diagnostic information when panics occur
- Monitor system uptime and unexpected reboots on systems using stmmac drivers with XDP
- Review dmesg logs for stmmac driver errors or warnings related to DMA operations
How to Mitigate CVE-2025-71095
Immediate Actions Required
- Apply the latest kernel security patches from the Linux kernel stable tree
- Disable XDP zero copy mode on stmmac interfaces until patches are applied
- Consider switching to XDP copy mode as a temporary workaround
Patch Information
The Linux kernel team has released patches to fix this vulnerability. The fix adds proper memory type checking in stmmac_xdp_xmit_back() to correctly handle both page pool and XSK zero copy buffer types. Multiple kernel stable branches have received patches:
- Kernel Git Commit 3f78232
- Kernel Git Commit 45ee046
- Kernel Git Commit 4d0ceb7
- Kernel Git Commit 5e59887
- Kernel Git Commit a48e232
Workarounds
- Avoid using AF_XDP sockets in zero copy mode with stmmac network interfaces
- Use XDP programs in copy mode (XDP_FLAGS_SKB_MODE) instead of zero copy mode
- If zero copy XDP is required, consider using alternative network drivers that properly handle memory type checking
The vulnerability fix involves checking the xdp_buff memory type in stmmac_xdp_xmit_back() before processing XDP_TX actions. Organizations should prioritize kernel updates on systems actively using XDP with stmmac network interfaces to prevent potential denial of service conditions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
