CVE-2025-71228 Overview
CVE-2025-71228 is a kernel vulnerability affecting the Linux kernel's LoongArch architecture memory management subsystem. The flaw exists in the handling of protection_map[] for VM_NONE and VM_SHARED Virtual Memory Areas (VMAs). On 32-bit LoongArch platforms, the _PAGE_PROTNONE value is set to 0, which causes pages to become non-present when a VMA is configured as VM_NONE or VM_SHARED. This incorrect page table configuration triggers kernel page faults and system crashes (Oops).
Critical Impact
Systems running Linux kernel on LoongArch 32-bit platforms may experience kernel panics and system instability when memory regions are marked with VM_NONE or VM_SHARED flags, potentially leading to denial of service conditions.
Affected Products
- Linux kernel on LoongArch 32-bit platforms
- Linux kernel versions prior to the patched commits
Discovery Timeline
- 2026-02-18 - CVE CVE-2025-71228 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-71228
Vulnerability Analysis
This vulnerability stems from an incorrect implementation in the LoongArch architecture-specific memory protection mapping. The Linux kernel maintains a protection_map[] array that defines page table entry (PTE) protection bits for different combinations of VMA flags. On LoongArch 32-bit systems, the _PAGE_PROTNONE constant evaluates to 0, which is problematic because it effectively clears the page presence bit.
When the kernel attempts to set up memory regions with VM_NONE (no access permissions) or VM_SHARED (shared memory) flags, the resulting PTE lacks the necessary present bit, causing the hardware to treat these pages as non-present. Any subsequent access to these memory regions triggers a page fault that the kernel cannot properly handle, resulting in a kernel Oops and potential system crash.
Root Cause
The root cause is the use of _PAGE_PROTNONE in the protection_map[] initialization for LoongArch 32-bit platforms. Since _PAGE_PROTNONE is defined as 0 on these platforms, using it to represent "protected but present" pages incorrectly marks them as non-present instead. The fix replaces _PAGE_PROTNONE with _PAGE_PRESENT in the affected protection_map[] entries, ensuring that pages remain present in the page tables even when access is restricted.
Attack Vector
The attack vector for this vulnerability is primarily local, though exploitation characteristics depend on system configuration. An attacker or legitimate process could trigger the vulnerability by:
- Creating a shared memory mapping using mmap() with MAP_SHARED flag
- Setting up memory regions with PROT_NONE protection via mprotect()
- Any kernel subsystem internally using VM_NONE or VM_SHARED VMA flags
When triggered, the vulnerability causes immediate kernel page faults, leading to system instability or crashes. The vulnerability is described in prose as the fix involves replacing _PAGE_PROTNONE with _PAGE_PRESENT in the protection map initialization. Technical details can be found in the kernel git commits.
Detection Methods for CVE-2025-71228
Indicators of Compromise
- Kernel Oops messages in system logs (/var/log/kern.log or dmesg) referencing page faults on LoongArch systems
- Unexpected system crashes or reboots on LoongArch 32-bit platforms
- Stack traces indicating issues in memory management or VMA handling code paths
Detection Strategies
- Monitor kernel logs for page fault exceptions related to LoongArch memory management subsystems
- Check running kernel version against known vulnerable versions using uname -r
- Review system crash dumps for patterns indicating protection_map[] related failures
- Audit system call activity for unusual mmap() or mprotect() patterns with VM_NONE or VM_SHARED flags
Monitoring Recommendations
- Implement real-time kernel log monitoring for Oops and panic events on LoongArch systems
- Deploy crash dump collection and analysis for forensic investigation
- Monitor system stability metrics and unexpected reboot patterns
How to Mitigate CVE-2025-71228
Immediate Actions Required
- Identify all systems running Linux kernel on LoongArch 32-bit architecture
- Review deployed kernel versions and compare against patched versions
- Plan and schedule kernel updates to incorporate the security fix
- Consider migrating critical workloads to patched systems during the update window
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix replaces _PAGE_PROTNONE with _PAGE_PRESENT in the protection_map[] array for affected VMA flag combinations. Multiple stable kernel branches have received the fix:
- Kernel Git Commit 04630328
- Kernel Git Commit 380d7c1a
- Kernel Git Commit 5fbdf95d
- Kernel Git Commit 9531210f
- Kernel Git Commit d5be4469
Workarounds
- No official workarounds are available; applying the kernel patch is the recommended remediation
- Limit exposure by reducing the use of shared memory mappings where possible until patched
- Consider temporarily migrating workloads to 64-bit LoongArch systems if available, as the vulnerability is specific to 32-bit platforms
# Check current kernel version
uname -r
# Verify LoongArch architecture
uname -m
# Update kernel on systems with package management
# For distributions with patched kernels available:
sudo apt update && sudo apt upgrade linux-image-*
# or
sudo yum update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
