CVE-2025-71161 Overview
CVE-2025-71161 is a denial-of-service vulnerability in the Linux kernel's dm-verity device-mapper target. The flaw resides in the recursive forward error correction (FEC) logic invoked through fec_read_bufs and verity_hash_for_block. A crafted dm-verity image can trigger up to 253^4 iterations across four nested recursion levels, causing kernel worker threads to hang in uninterruptible sleep. Red Hat QE engineers reproduced the condition with a purpose-built image that wedged the udev-worker process in the D state. The upstream fix disables recursive forward error correction in dm-verity entirely. The vulnerability is categorized under [CWE-193] (Off-by-one / boundary condition) and affects local attackers with low privileges.
Critical Impact
A local user with access to mount a malicious dm-verity image can hang kernel worker threads, exhausting CPU and producing a sustained denial-of-service condition on the host.
Affected Products
- Linux Kernel (mainline, prior to patched commits)
- Linux Kernel stable branches lacking commits 232948cf and d9f3e47d
- Distributions shipping kernels with dm-verity and FEC support enabled
Discovery Timeline
- 2026-01-23 - CVE-2025-71161 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2025-71161
Vulnerability Analysis
The Linux device-mapper dm-verity target provides transparent integrity checking of block devices using a Merkle tree of cryptographic hashes. When a block fails verification, dm-verity can attempt recovery using forward error correction parity data. The recovery path in fec_read_bufs iterates 253 times per invocation and, for each iteration, may recursively call verity_hash_for_block to validate intermediate blocks. With a recursion depth limit of four, the worst-case path expands to roughly 4 billion iterations. A crafted image triggers this expansion, stalling the kernel worker indefinitely.
A second defect compounds the issue: the buffer fio->bufs is shared between recursive invocations. When verity_hash_for_block calls correction recursively, the inner call overwrites partially populated buffers from the outer call, so the recursive correction is functionally broken even in benign cases.
Root Cause
The root cause is the unbounded multiplicative blow-up of work performed by recursive FEC correction combined with unsafe sharing of the fio->bufs working buffer across recursive frames. Neither a per-invocation iteration budget nor isolation of intermediate buffers was enforced.
Attack Vector
The attack vector is local. An attacker who can present a malicious dm-verity image — for example, via a user-mountable removable device, container image, or system service that consumes attacker-supplied verity metadata — can trigger the runaway correction loop. The kernel worker servicing the verification enters the D state, blocking dependent I/O and degrading or halting system progress. The fix, applied across stable branches in commits 232948cf600f, d9f3e47d3fae, 4220cb374069, 897d9006e75f, and e227d2b229c7, removes recursive forward error correction from dm-verity.
No public exploit code or proof-of-concept is available for this issue.
Detection Methods for CVE-2025-71161
Indicators of Compromise
- Kernel worker threads (notably udev-worker and dm-verity FEC worker kthreads) stuck in the D (uninterruptible sleep) state for extended periods.
- Sustained 100% CPU usage on a core attributable to dm-verity verification or FEC processing after mounting an untrusted image.
- Soft lockup or hung_task messages in dmesg referencing fec_read_bufs or verity_hash_for_block.
Detection Strategies
- Monitor /proc/<pid>/stack and /proc/<pid>/wchan for processes blocked inside dm-verity FEC routines.
- Alert on hung_task kernel warnings in /var/log/messages, journalctl -k, or syslog forwarders.
- Track mounts of dm-verity targets originating from non-privileged or untrusted sources via audit rules on the mount and dmsetup syscall paths.
Monitoring Recommendations
- Enable kernel.hung_task_timeout_secs and forward kernel hung-task warnings to a centralized log platform.
- Baseline normal dm-verity verification CPU and I/O patterns, then alert on deviations following image mounts.
- Audit container runtimes and update agents that consume verity metadata for unexpected verification failures.
How to Mitigate CVE-2025-71161
Immediate Actions Required
- Apply the upstream Linux kernel patches that disable recursive forward error correction in dm-verity, available in commits 232948cf600f and d9f3e47d3fae on kernel.org stable.
- Update to distribution kernel packages that incorporate the dm-verity FEC fixes once vendors publish them.
- Restrict the ability of unprivileged users to mount dm-verity targets or supply verity metadata.
Patch Information
The fix removes recursive FEC entirely from dm-verity. Relevant stable commits include 232948cf, d9f3e47d, 4220cb37, 897d9006, and e227d2b2. Rebuild and reboot into a patched kernel to fully resolve the issue.
Workarounds
- Disable dm-verity forward error correction on volumes where it is not strictly required by omitting the FEC parameters in the verity table.
- Block mounting of untrusted block devices and disk images on multi-user systems via udev rules and Polkit policy.
- Limit access to dmsetup and related device-mapper interfaces to administrators only.
# Configuration example: verify the running kernel includes the dm-verity FEC fix
uname -r
grep -E 'fec_read_bufs|verity_hash_for_block' /proc/kallsyms
# Disable user namespace mounts of untrusted images
sysctl -w kernel.unprivileged_userns_clone=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

