CVE-2025-71122: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71122 Overview

CVE-2025-71122 is a Linux kernel vulnerability in the iommufd selftest infrastructure. The flaw resides in the IOMMU_TEST_OP_ADD_RESERVED test ioctl, where unchecked user-supplied length values can overflow internal arithmetic. This overflow corrupts the reserved interval tree and triggers a WARN_ON. The bug was identified by the syzkaller fuzzer and only affects kernels built with CONFIG_IOMMUFD_TEST enabled, which is typically restricted to development and testing builds rather than production distributions.

Critical Impact

A local authenticated user can trigger an integer overflow in the iommufd selftest ioctl path, corrupting kernel data structures and producing a WARN_ON that signals kernel state integrity loss.

Affected Products

• Linux Kernel 6.2 (with CONFIG_IOMMUFD_TEST enabled)
• Linux Kernel 6.19-rc1 through 6.19-rc8
• Linux distributions shipping test-enabled kernels with iommufd selftest support

Discovery Timeline

• 2026-01-14 - CVE-2025-71122 published to NVD
• 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71122

Vulnerability Analysis

The vulnerability lives in the iommufd selftest path, specifically the IOMMU_TEST_OP_ADD_RESERVED operation. This test ioctl accepts a user-controlled length value and uses it in arithmetic that determines an interval range stored in the reserved interval tree. When the input is large enough, the arithmetic wraps around and produces an out-of-bounds interval. The resulting corrupted entry in the reserved interval tree triggers a WARN_ON inside the kernel, indicating a violation of an internal invariant. Because the flaw is scoped to CONFIG_IOMMUFD_TEST builds, production kernels without this option are not exposed. However, distributions and developers who ship debug or test kernels for QA, kernel CI, or research workloads remain affected.

Root Cause

The root cause is missing validation of a user-supplied length parameter before it participates in unchecked arithmetic. Without an overflow check, the multiplication or addition used to compute the interval end can wrap, leading to an invalid range entry. The fix introduces explicit validation of user input length in the test ioctl path before it is consumed by interval tree operations. This vulnerability is classified as an Integer Overflow ([CWE-190 category]) leading to kernel data structure corruption.

Attack Vector

Exploitation requires local access and the ability to invoke the iommufd test ioctl. An attacker with local low-privileged access can send a crafted IOMMU_TEST_OP_ADD_RESERVED ioctl with a length value chosen to overflow the interval calculation. The resulting WARN_ON indicates kernel state corruption, which on production builds without panic-on-warn produces a kernel log entry, but on hardened systems with panic_on_warn set can cause a denial of service. Network exploitation is not possible because the attack surface is a local ioctl interface.

No public proof-of-concept code is available for this issue. The condition was discovered through syzkaller-driven kernel fuzzing rather than a published exploit.

Detection Methods for CVE-2025-71122

Indicators of Compromise

• Kernel log entries containing WARN_ON traces originating from the iommufd selftest reserved interval tree code paths
• Unexpected invocation of IOMMU_TEST_OP_ADD_RESERVED ioctls from non-test workloads or unprivileged user sessions
• Presence of CONFIG_IOMMUFD_TEST=y in deployed production kernels, which by itself indicates an exposed attack surface

Detection Strategies

• Audit running kernel configuration for CONFIG_IOMMUFD_TEST and flag any systems where the test option is enabled outside of development environments
• Monitor dmesg and journalctl -k for kernel warnings referencing iommufd or interval tree corruption
• Apply syscall and ioctl auditing through auditd to record processes invoking iommufd device nodes such as /dev/iommu

Monitoring Recommendations

• Forward kernel ring buffer logs to a centralized logging system and alert on WARN_ON events tied to iommufd subsystems
• Track local privilege baselines and unusual ioctl activity from interactive shells and container workloads
• Include kernel configuration drift checks in compliance scans to catch test-enabled kernels reaching production hosts

How to Mitigate CVE-2025-71122

Immediate Actions Required

• Identify all Linux hosts running kernels built with CONFIG_IOMMUFD_TEST and prioritize patching or kernel replacement
• Apply the upstream stable kernel fixes referenced in the kernel.org commits as soon as vendor packages are available
• For production fleets, rebuild or switch to kernels with CONFIG_IOMMUFD_TEST disabled, since the test option is not intended for production use
• Restrict access to iommufd device nodes through filesystem permissions and Linux capabilities to limit who can call the test ioctl

Patch Information

The fix validates user input length in the IOMMU_TEST_OP_ADD_RESERVED ioctl handler before performing the arithmetic that populates the reserved interval tree. The patches are available in the following upstream commits: Kernel Git Commit 4cc829d, Kernel Git Commit b166b8e, Kernel Git Commit e6a973a, and Kernel Git Commit e6c122c. Apply the corresponding backports for any 6.2 and 6.19 release-candidate kernels in use.

Workarounds

• Disable the iommufd test infrastructure by rebuilding the kernel with CONFIG_IOMMUFD_TEST unset, which removes the vulnerable code path entirely
• Remove or restrict permissions on /dev/iommu so only trusted administrative users can issue iommufd ioctls
• Avoid setting panic_on_warn=1 on hosts running affected test kernels until the patch is applied to prevent denial-of-service escalation from the WARN_ON

# Configuration example
# Check whether the running kernel exposes the vulnerable test option
grep CONFIG_IOMMUFD_TEST /boot/config-$(uname -r)

# Restrict access to the iommufd device node
chmod 600 /dev/iommu
chown root:root /dev/iommu

# Monitor for WARN_ON events tied to iommufd
journalctl -k --since "1 hour ago" | grep -iE "iommufd|WARN_ON"