CVE-2025-71203 Overview
CVE-2025-71203 is a speculative execution side channel vulnerability in the Linux kernel's RISC-V architecture code. The syscall number, a user-controlled value, is used to index into the syscall table without speculation barriers. An attacker with local access can manipulate this index to trigger speculative out-of-bounds memory access. The transient execution leaks data through cache side channels, similar in nature to Spectre v1. The fix introduces array_index_nospec() to clamp the syscall index after the bounds check on RISC-V kernels.
Critical Impact
Local attackers can exfiltrate kernel memory contents via cache timing side channels by abusing speculative execution during syscall dispatch on RISC-V systems.
Affected Products
- Linux kernel 6.19-rc1 through 6.19-rc4 on RISC-V
- Earlier stable branches receiving the backported fix per the upstream commits
- Linux distributions shipping RISC-V kernel builds without the array_index_nospec() patch
Discovery Timeline
- 2026-02-14 - CVE-2025-71203 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2025-71203
Vulnerability Analysis
The vulnerability is classified as [CWE-129] Improper Validation of Array Index in a speculative execution context. On RISC-V, the syscall dispatch path validates the user-supplied syscall number against the table size before performing the table lookup. Modern out-of-order RISC-V cores can speculatively execute the table indexing past the bounds check using predicted branch outcomes. During this speculative window, the processor may load arbitrary kernel memory at an attacker-controlled offset.
The speculative load brings cache lines into the processor's data cache. Although the architectural state is rolled back when the misprediction resolves, the cache state persists. An attacker measures cache access timings to recover the speculatively loaded values. This produces a primitive equivalent to Spectre variant 1 against the syscall table dispatch path.
Root Cause
The RISC-V syscall entry code lacks a speculation barrier between the bounds check on the syscall number and the actual array indexing into the syscall table. Compiler-emitted conditional branches do not constrain speculative loads on this path. Without array_index_nospec() clamping the index to a safe value during speculative execution, the processor can dereference attacker-chosen offsets relative to the syscall table base.
Attack Vector
Exploitation requires local code execution with low privileges. An attacker trains the branch predictor to bias toward the in-bounds outcome, then issues a syscall with an out-of-bounds number. The mistrained predictor allows the CPU to speculatively read kernel memory at a controlled offset. The attacker then probes cache state through Flush+Reload or similar timing techniques to reconstruct the leaked bytes. Repeating this loop yields incremental disclosure of sensitive kernel data, including credentials, keys, or pointers used to defeat KASLR.
No public proof-of-concept code is currently available for this issue. The fix is applied in the RISC-V syscall entry path through the upstream commits referenced below.
Detection Methods for CVE-2025-71203
Indicators of Compromise
- No reliable host-based indicators exist because the side channel leaves no syscall audit trail or persistent artifacts.
- Unusual processes generating high-volume invalid syscalls or sustained cache flush instructions on RISC-V hosts may indicate exploitation attempts.
- Unprivileged workloads exhibiting sustained access to perf_event_open or high-resolution timers paired with syscall fuzzing patterns.
Detection Strategies
- Audit running RISC-V kernel versions against the patched commits 25fd7ee7bf58, 8b44e7537951, and c45848936ebd to identify unpatched hosts.
- Monitor auditd for excessive ENOSYS returns from a single process, which can correlate with branch predictor training loops.
- Enable kernel lockdown and restrict access to performance counters that adversaries use to build cache timing oracles.
Monitoring Recommendations
- Track kernel build versions across RISC-V fleets via configuration management and flag systems running 6.19-rc1 through 6.19-rc4.
- Collect process execution telemetry for unprivileged binaries issuing high-frequency invalid syscalls.
- Alert on attempts to access /proc/kallsyms, /dev/cpu/*/msr, or other interfaces used to corroborate kernel address leaks.
How to Mitigate CVE-2025-71203
Immediate Actions Required
- Apply the upstream Linux kernel patch that introduces array_index_nospec() in the RISC-V syscall dispatch path.
- Upgrade RISC-V hosts to a kernel build that includes commits 25fd7ee7bf58ac3ec7be3c9f82ceff153451946c, 8b44e753795107a22ba31495686e83f4aca48f36, or c45848936ebdb4fcab92f8c39510db83c16d0239.
- Restrict local shell access on multi-tenant RISC-V systems until patched kernels are deployed.
Patch Information
The fix sanitizes the user-controlled syscall index after the bounds check using array_index_nospec(). This forces the speculative value to a safe in-range index, preventing out-of-bounds speculative loads from the syscall table. See the upstream commits: Linux kernel commit 25fd7ee7, Linux kernel commit 8b44e753, and Linux kernel commit c4584893.
Workarounds
- Limit access to high-resolution timers and performance counters by setting kernel.perf_event_paranoid=3 to reduce side channel measurement primitives.
- Enforce seccomp filters on untrusted workloads to constrain the syscall numbers reachable from user space.
- Isolate sensitive workloads on dedicated RISC-V hosts away from untrusted local users until patches are applied.
# Configuration example
# Restrict perf and unprivileged BPF as defense-in-depth on RISC-V hosts
sysctl -w kernel.perf_event_paranoid=3
sysctl -w kernel.unprivileged_bpf_disabled=1
# Verify the running kernel version and check for the fix
uname -r
zcat /proc/config.gz | grep CONFIG_RISCV
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
