CVE-2025-71155 Overview
CVE-2025-71155 is a memory corruption vulnerability in the Linux kernel's KVM subsystem for IBM s390 (mainframe) architecture. The flaw resides in the gmap_helper_zap_one_page() function, which lacked several validation checks. Under specific circumstances, the missing checks can lead to memory corruption inside a KVM guest. The issue is classified as an out-of-bounds write [CWE-787] affecting the Linux kernel on s390 platforms. The vulnerability requires local access with low privileges and no user interaction, making it exploitable by an authenticated attacker on the host with access to the KVM guest mapping helper code paths.
Critical Impact
A local attacker with low privileges can trigger memory corruption in s390 KVM guests, threatening guest confidentiality, integrity, and availability.
Affected Products
- Linux Kernel on IBM s390 architecture with KVM enabled
- Distributions shipping the affected gmap_helper_zap_one_page() code path
- Virtualization hosts running s390 KVM guests
Discovery Timeline
- 2026-01-23 - CVE-2025-71155 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2025-71155
Vulnerability Analysis
The vulnerability exists in the Linux kernel KVM subsystem on s390, specifically in gmap_helper_zap_one_page(). This helper participates in managing the guest memory address space (gmap) used by KVM to translate guest physical addresses to host virtual addresses on s390 mainframes. The function is responsible for invalidating (zapping) a single page in the guest mapping. A prior fix attempted to address related issues, hence the commit subject "Fix gmap_helper_zap_one_page() again," but additional sanity checks remained absent. Without these checks, the helper can operate on pages or address ranges it should not, leading to out-of-bounds write conditions that corrupt guest memory.
Root Cause
The root cause is missing validation in gmap_helper_zap_one_page() before the helper performs page-level operations on guest mappings. The absent checks allow the function to proceed in states where the target page descriptor, mapping, or address range is not in a valid form for the zap operation. This results in writes outside the intended object bounds, which CWE-787 categorizes as an out-of-bounds write. The corrupted memory belongs to the guest, so the integrity of guest workloads is directly affected. The upstream fix adds the missing checks so the function aborts safely when preconditions are not met.
Attack Vector
Exploitation requires local access to the host with low privileges sufficient to reach KVM s390 code paths that invoke gmap_helper_zap_one_page(). The attacker triggers conditions that exercise the helper without the previously missing validation, corrupting guest memory. No user interaction is required, and the scope is unchanged. The vulnerability does not provide remote exploitation, but in multi-tenant s390 virtualization environments it can compromise guest isolation. See the upstream patches at Linux Kernel Commit 2af2abbc and Linux Kernel Commit 2f393c22.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-71155
Indicators of Compromise
- Unexpected memory corruption symptoms inside s390 KVM guests such as kernel oops, application crashes, or filesystem inconsistencies without correlated host hardware faults.
- Host kernel log entries referencing gmap, gmap_helper_zap_one_page, or KVM s390 page management warnings.
- Guest panics that coincide with host operations performing page invalidations on the guest address space.
Detection Strategies
- Inventory s390 hosts and compare running kernel versions against the fixed commits referenced in the vendor advisory.
- Monitor host dmesg and journald for KVM s390 warnings, BUG_ON traces, or gmap-related stack frames.
- Correlate guest instability events with host KVM activity windows using centralized logging.
Monitoring Recommendations
- Forward host kernel logs and KVM audit events to a centralized logging platform for retention and search.
- Track local privileged process activity on s390 hosts that interact with KVM control interfaces such as /dev/kvm.
- Alert on repeated guest crashes originating from the same host to surface possible exploitation attempts.
How to Mitigate CVE-2025-71155
Immediate Actions Required
- Apply the upstream Linux kernel patches that add the missing checks to gmap_helper_zap_one_page() on all s390 KVM hosts.
- Restrict local shell and KVM API access on s390 hosts to trusted administrators only.
- Audit accounts with permission to interact with /dev/kvm or to run virtualization management tooling on s390 hosts.
Patch Information
The Linux kernel maintainers resolved the issue by adding the missing validation checks in gmap_helper_zap_one_page(). Apply the fix from Linux Kernel Commit 2af2abbc and the related Linux Kernel Commit 2f393c22. Consume the fix through your distribution's stable kernel update channel and reboot affected hosts to load the patched kernel.
Workarounds
- Limit which local users and services can invoke KVM operations on s390 hosts until the patched kernel is deployed.
- Where feasible, migrate critical guests off unpatched s390 KVM hosts to reduce exposure.
- Increase monitoring of guest stability and host KVM logs to detect attempts to trigger the helper under unsafe conditions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

