CVE-2025-71111 Overview
A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability has been identified in the Linux kernel's hardware monitoring (hwmon) subsystem, specifically within the w83791d driver. The vulnerability exists in the FAN_FROM_REG macro, which evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this behavior can lead to race conditions that may result in divide-by-zero errors, potentially causing system instability or denial of service.
Critical Impact
This vulnerability can cause divide-by-zero errors in the Linux kernel's hwmon subsystem, potentially leading to system crashes or denial of service on systems using the w83791d hardware monitoring driver.
Affected Products
- Linux kernel with w83791d hwmon driver enabled
- Systems with Winbond W83791D hardware monitoring chip
- Linux distributions with affected kernel versions
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71111 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2025-71111
Vulnerability Analysis
The vulnerability resides in the w83791d hardware monitoring driver, a component responsible for interfacing with the Winbond W83791D Super I/O chip commonly found in motherboards for monitoring fan speeds, temperatures, and voltages.
The root issue stems from the FAN_FROM_REG macro implementation that evaluates its arguments multiple times during execution. In C programming, macros are expanded inline, meaning that if an argument is used multiple times within the macro definition, the expression is evaluated each time the argument appears. When this macro is invoked in lockless contexts with shared driver data, a race condition window opens between the time data is checked and when it is actually used.
An attacker or malicious process with local access could potentially exploit this timing window to manipulate the shared data between evaluations, leading to inconsistent state that triggers arithmetic exceptions such as divide-by-zero errors. Such exceptions in kernel space can cause system panics or crashes, resulting in denial of service.
Root Cause
The root cause is the improper use of C preprocessor macros that evaluate arguments multiple times in a concurrent environment. The FAN_FROM_REG macro, when processing fan register values, reads shared data multiple times without proper synchronization. This creates a TOCTOU vulnerability where the value can change between the initial check and subsequent use.
Additionally, the store_fan_div function performed calculations outside of the update lock, allowing read-modify-write sequences to operate on potentially inconsistent data when concurrent access occurred.
Attack Vector
The attack vector requires local access to the system. An attacker would need to:
- Identify systems using the w83791d hwmon driver
- Trigger concurrent access to the driver's shared data structures
- Exploit the race condition timing window to cause inconsistent data states
- The resulting divide-by-zero error would crash the kernel or cause system instability
The fix converts the vulnerable macro to a static function, ensuring arguments are evaluated only once through pass-by-value semantics. Additionally, the calculation of the minimum limit in store_fan_div was moved inside the update lock to ensure atomic read-modify-write operations.
Detection Methods for CVE-2025-71111
Indicators of Compromise
- Unexpected kernel panics or system crashes related to hwmon or arithmetic exceptions
- Division by zero errors in kernel logs referencing the w83791d driver
- Abnormal CPU utilization spikes from hwmon-related processes
- System instability when accessing hardware monitoring interfaces
Detection Strategies
- Monitor kernel logs (dmesg) for divide-by-zero exceptions or arithmetic errors in hwmon subsystem
- Review system crash dumps for stack traces involving the w83791d driver module
- Implement kernel auditing to track accesses to /sys/class/hwmon/ interfaces
- Deploy runtime integrity monitoring for kernel module behavior anomalies
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture diagnostic information
- Configure centralized logging for kernel messages across affected systems
- Implement alerting for repeated system reboots or kernel panic events
- Monitor hardware monitoring sensor readings for anomalous values that might indicate exploitation attempts
How to Mitigate CVE-2025-71111
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the security fix
- Review and apply relevant kernel patches from the stable kernel tree
- Consider temporarily disabling the w83791d driver module if hardware monitoring is not critical
- Restrict local access to systems to trusted users only
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix converts the problematic FAN_FROM_REG macro to a static function, ensuring single evaluation of arguments through pass-by-value semantics. Additionally, the store_fan_div function has been modified to perform calculations within the update lock.
Multiple patch commits are available in the stable kernel tree:
- Kernel Git Commit 3dceb68
- Kernel Git Commit 670d7ef
- Kernel Git Commit a9fb6e8
- Kernel Git Commit bf5b032
- Kernel Git Commit c8cf0c2
- Kernel Git Commit f2b579a
- Kernel Git Commit f94800f
Workarounds
- Unload the w83791d kernel module if hardware monitoring functionality is not required: modprobe -r w83791d
- Blacklist the w83791d module to prevent automatic loading by adding blacklist w83791d to /etc/modprobe.d/blacklist.conf
- Restrict access to hwmon sysfs interfaces using file system permissions
- Implement access controls to limit which users and processes can interact with hardware monitoring interfaces
# Temporary workaround: Unload and blacklist the vulnerable module
sudo modprobe -r w83791d
echo "blacklist w83791d" | sudo tee /etc/modprobe.d/blacklist-w83791d.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

