CVE-2025-71115 Overview
A null pointer dereference vulnerability has been identified in the Linux kernel's User Mode Linux (UML) subsystem. The vulnerability exists due to improper initialization timing of the cpu_tasks[] array in the uml_finishsetup() function. When Kernel Code Coverage (KCOV) is enabled, early initialization code can call functions like memparse() which contain coverage annotations. The subsequent checks in check_kcov_mode() crash because the current pointer is NULL, as cpu_tasks[] has not yet been initialized.
Critical Impact
Systems running User Mode Linux with KCOV enabled may experience kernel crashes during initialization due to null pointer dereference when coverage-annotated functions are called before cpu_tasks[] initialization.
Affected Products
- Linux Kernel (User Mode Linux subsystem)
- Linux kernel builds with KCOV enabled
- Linux kernel versions prior to the security patches
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71115 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-71115
Vulnerability Analysis
This vulnerability stems from a race condition in the kernel initialization sequence specific to User Mode Linux (UML). The cpu_tasks[] array, which tracks CPU task information, was being initialized too late in the boot process within uml_finishsetup(). When the kernel is compiled with KCOV (Kernel Code Coverage) support, various initialization functions contain coverage annotations that trigger calls to check_kcov_mode().
The check_kcov_mode() function relies on the current macro to access the currently running task. However, since cpu_tasks[] hadn't been initialized yet during early boot stages, the current pointer resolves to NULL. Any attempt to dereference this NULL pointer results in a kernel crash, effectively creating a denial of service condition during system initialization.
Root Cause
The root cause is an initialization order dependency issue. The cpu_tasks[] array was dynamically initialized in uml_finishsetup(), which occurs after certain init code paths that may invoke KCOV-annotated functions like memparse(). When these functions execute their coverage instrumentation code, they attempt to access task-related data structures through the current macro, which depends on cpu_tasks[] being properly initialized.
The fix involves changing cpu_tasks[] from dynamic initialization to static initialization, ensuring the array is available from the very beginning of the kernel boot process. This eliminates the window where current could return NULL due to uninitialized task tracking structures.
Attack Vector
The vulnerability is primarily a local denial of service condition that occurs during kernel initialization. The attack vector is limited because:
- The crash occurs during early boot with KCOV enabled
- KCOV is typically used in development/testing environments for code coverage analysis
- An attacker would need local access to configure and boot a vulnerable kernel
The vulnerability does not appear to be directly exploitable for code execution or privilege escalation, but it prevents successful system boot under specific configurations.
Detection Methods for CVE-2025-71115
Indicators of Compromise
- Kernel panic or crash during early boot initialization
- Error messages referencing check_kcov_mode() null pointer dereference
- System logs showing crashes in UML initialization with KCOV enabled
- Boot failures when running User Mode Linux with coverage instrumentation
Detection Strategies
- Monitor system boot logs for null pointer dereference panics in UML subsystem
- Check kernel configuration for KCOV enablement combined with UML usage
- Review dmesg output for crashes during uml_finishsetup() or related functions
- Audit kernel build configurations for vulnerable KCOV + UML combinations
Monitoring Recommendations
- Implement kernel crash dump analysis for systems running UML
- Configure automated alerts for kernel initialization failures
- Monitor for repeated boot failures in virtualized or UML environments
- Deploy kernel log aggregation to detect patterns of initialization crashes
How to Mitigate CVE-2025-71115
Immediate Actions Required
- Apply the latest Linux kernel patches addressing this vulnerability
- Temporarily disable KCOV if running User Mode Linux in production environments
- Update to a patched kernel version containing the static cpu_tasks[] initialization fix
- Review and update kernel configurations for systems using UML subsystem
Patch Information
The vulnerability has been addressed through patches that statically initialize the cpu_tasks[] array, ensuring it is available from the earliest stages of kernel boot. The fix initializes all entries in the array to support both the immediate crash fix and future SMP work.
Patch commits are available from the Linux kernel git repository:
Workarounds
- Disable KCOV in kernel configuration (CONFIG_KCOV=n) as a temporary workaround
- Avoid using User Mode Linux with KCOV-enabled kernels until patches are applied
- Use alternative virtualization solutions if UML with code coverage is not essential
- Consider building kernels without coverage instrumentation for production UML deployments
# Disable KCOV in kernel configuration
make menuconfig
# Navigate to: General setup -> Kernel hacking -> KCOV
# Set CONFIG_KCOV to 'n'
# Alternatively, modify .config directly
sed -i 's/CONFIG_KCOV=y/# CONFIG_KCOV is not set/' .config
# Rebuild kernel
make -j$(nproc)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
