Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71143

CVE-2025-71143: Linux Kernel Array Bounds Vulnerability

CVE-2025-71143 is an array bounds issue in the Linux kernel's Samsung Exynos clock driver that triggers UBSAN warnings. This post covers the technical details, affected kernel versions, security impact, and available patches.

Published:

CVE-2025-71143 Overview

CVE-2025-71143 is a vulnerability in the Linux kernel affecting the Samsung Exynos clock output driver (clk-exynos-clkout.c). The issue stems from improper initialization order in the exynos_clkout_probe() function, where the .hws[] array is accessed before the .num member is assigned. This triggers UBSAN (Undefined Behavior Sanitizer) bounds checking warnings because the __counted_by annotation relies on .num being set before any array access occurs.

Critical Impact

Improper array bounds initialization in the Samsung Exynos clock driver can trigger undefined behavior and UBSAN warnings during kernel execution, potentially affecting system stability on Samsung Exynos-based platforms.

Affected Products

  • Linux kernel with Samsung Exynos clock output driver (clk-exynos-clkout)
  • Systems using the clk_hw_onecell_data structure with __counted_by annotation
  • Samsung Exynos-based embedded platforms and devices

Discovery Timeline

  • 2026-01-14 - CVE CVE-2025-71143 published to NVD
  • 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-71143

Vulnerability Analysis

This vulnerability is an Out-of-Bounds Read/Write condition caused by improper initialization ordering within the Linux kernel's Samsung Exynos clock driver. The issue was introduced when commit f316cdff8d67 added the __counted_by annotation to the hws member of struct clk_hw_onecell_data. This annotation informs the UBSAN bounds sanitizer about the expected number of elements in the .hws[] array.

The fundamental problem is that the bounds sanitizer relies on the .num field to determine valid array access ranges. When .hws[] is accessed before .num is initialized, the sanitizer interprets the array as having zero elements, causing every access to be flagged as out-of-bounds—even when the access would otherwise be valid.

Root Cause

The root cause is an initialization order violation in the exynos_clkout_probe() function. The code accesses .hws[0] and subsequent indices before setting the .num member to indicate how many elements the array contains. With the __counted_by annotation in place, this sequence triggers UBSAN bounds checking because the sanitizer sees .num as zero (uninitialized) when the first array access occurs at index 0.

The fix involves moving the .num assignment to occur before any .hws[] array access, ensuring the bounds sanitizer has correct size information before validation occurs.

Attack Vector

While this vulnerability primarily manifests as a kernel warning and potential undefined behavior, the attack vector involves triggering the exynos_clkout_probe() function during device initialization on Samsung Exynos platforms. An attacker with local access to an affected system could potentially exploit this undefined behavior condition, though practical exploitation would require specific kernel configurations and hardware presence.

The vulnerability occurs in the kernel clock subsystem during probe operations, meaning it is triggered during device initialization rather than through direct user interaction.

Detection Methods for CVE-2025-71143

Indicators of Compromise

  • UBSAN warning messages in kernel logs containing array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18
  • Kernel log entries showing index 0 is out of range for type 'clk_hw *[*]'
  • Unexpected behavior or crashes during boot on Samsung Exynos-based systems with UBSAN enabled

Detection Strategies

  • Monitor kernel logs (dmesg) for UBSAN warnings related to clk-exynos-clkout.c
  • Enable kernel UBSAN bounds checking (CONFIG_UBSAN_BOUNDS) to detect this and similar initialization order issues
  • Audit kernel configuration for Samsung Exynos clock driver inclusion (CONFIG_COMMON_CLK_SAMSUNG)

Monitoring Recommendations

  • Implement centralized kernel log collection for systems running affected Linux kernel versions
  • Configure alerting for UBSAN array bounds violations in production environments
  • Monitor system stability on Samsung Exynos platforms during boot and clock subsystem initialization

How to Mitigate CVE-2025-71143

Immediate Actions Required

  • Update to a patched Linux kernel version that includes the initialization order fix
  • Review kernel configuration to determine if the Samsung Exynos clock driver is enabled
  • Monitor affected systems for signs of instability during boot operations

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability by reordering the initialization sequence. The fix moves the .num assignment to occur before the first .hws[] array access in exynos_clkout_probe().

Patches are available through the following kernel commits:

Workarounds

  • Disable UBSAN bounds checking (CONFIG_UBSAN_BOUNDS=n) as a temporary workaround, though this reduces security visibility
  • If not required, disable the Samsung Exynos clock output driver (CONFIG_COMMON_CLK_EXYNOS_CLKOUT=n) in kernel configuration
  • Apply vendor-specific kernel updates for Samsung Exynos-based devices when available
bash
# Check if Samsung Exynos clock driver is enabled in kernel config
grep -i "CONFIG_COMMON_CLK_EXYNOS" /boot/config-$(uname -r)

# Check for UBSAN bounds warnings related to this vulnerability
dmesg | grep -i "clk-exynos-clkout"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.