CVE-2025-71300 Overview
CVE-2025-71300 is a Linux kernel vulnerability affecting the arm64 Xilinx ZynqMP platform. The issue stems from a manually defined OP-TEE node in zynqmp.dtsi that conflicts with U-Boot's automatic device tree injection logic. U-Boot expects no pre-existing OP-TEE node so it can inject both the firmware node and an associated reserved-memory node into the kernel device tree. The static definition breaks this insertion, leaving the OP-TEE reserved-memory region unreserved and causing memory access violations during runtime. The upstream fix reverts commit 06d22ed6b6635b17551f386b50bb5aaff9b75fbe to restore correct OP-TEE memory reservation behavior.
Critical Impact
A local low-privileged actor on affected ZynqMP systems can trigger memory access violations resulting in kernel-level denial of service.
Affected Products
- Linux Kernel on arm64 Xilinx ZynqMP platforms
- Kernel device tree source file arch/arm64/boot/dts/xilinx/zynqmp.dtsi
- Systems using OP-TEE firmware loaded by U-Boot
Discovery Timeline
- 2026-05-08 - CVE-2025-71300 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-71300
Vulnerability Analysis
The vulnerability resides in the arm64 device tree definition for Xilinx ZynqMP system-on-chip platforms. Commit 06d22ed6b6635b17551f386b50bb5aaff9b75fbe added an OP-TEE (Open Portable Trusted Execution Environment) node directly to zynqmp.dtsi. This static definition interferes with U-Boot's runtime device tree manipulation logic.
U-Boot's OP-TEE integration code automatically appends an OP-TEE firmware node together with a reserved-memory node to the device tree passed to the kernel. The injection routine performs a check for an existing OP-TEE node and skips the insertion when one is already present. The skip path leaves the secure OS memory region unreserved in the kernel's memory map.
When the kernel later allocates pages from the unreserved region used by OP-TEE Trusted Applications, accesses to those pages cross the Normal World/Secure World boundary and trigger memory access violations. The result is system instability and denial of service on the affected hardware.
Root Cause
The root cause is a coordination failure between bootloader and kernel device tree handling. The manually declared OP-TEE node in zynqmp.dtsi short-circuits U-Boot's conditional injection of the matching reserved-memory entry. Without the reserved range, the kernel page allocator treats secure memory as available general-purpose RAM.
Attack Vector
Exploitation requires local access with low privileges. No user interaction is needed. An actor with the ability to allocate memory or invoke kernel paths that touch the unreserved physical range can trigger the fault condition. The impact is confined to availability — confidentiality and integrity are not affected.
The vulnerability manifests during normal kernel runtime on affected ZynqMP boards using U-Boot with OP-TEE. See the upstream kernel commits referenced below for the precise revert applied to the device tree source.
Detection Methods for CVE-2025-71300
Indicators of Compromise
- Kernel oops or panic logs referencing unhandled memory aborts on arm64 ZynqMP hardware
- dmesg output showing OP-TEE driver initialization followed by abnormal memory faults
- Device tree dump (/sys/firmware/devicetree/base/) containing a statically defined optee node without a corresponding reserved-memory entry
Detection Strategies
- Audit running kernel versions on ZynqMP fleets against the patched stable branches listed in the upstream commits
- Parse boot-time device tree to confirm presence of both the OP-TEE firmware node and its paired reserved-memory reservation
- Correlate hardware-specific kernel panics with workloads that exercise OP-TEE Trusted Applications
Monitoring Recommendations
- Collect kernel logs centrally and alert on repeated arm64 synchronous abort traces
- Track kernel package versions across embedded Linux deployments to identify unpatched ZynqMP devices
- Monitor OP-TEE supplicant and tee-supplicant service health for unexpected restarts
How to Mitigate CVE-2025-71300
Immediate Actions Required
- Apply the upstream kernel revert that removes the static OP-TEE node from zynqmp.dtsi
- Rebuild and redeploy kernel images on all affected ZynqMP-based devices
- Validate that U-Boot OP-TEE injection produces the expected reserved-memory node after the patch
Patch Information
The fix reverts commit 06d22ed6b6635b17551f386b50bb5aaff9b75fbe. Upstream patches are available in the kernel.org stable tree across multiple branches: Kernel Git Commit 2a833c730d4e, Kernel Git Commit 3983ef126e4, Kernel Git Commit c1971799901, and Kernel Git Commit eece81eeda10.
Workarounds
- Manually patch arch/arm64/boot/dts/xilinx/zynqmp.dtsi to remove the OP-TEE node and rebuild the kernel
- Disable OP-TEE support in U-Boot configuration if the secure OS is not required for the workload
- Restrict local access on affected embedded devices until patched firmware is deployed
# Verify device tree contains the reserved-memory entry after patching
ls /sys/firmware/devicetree/base/reserved-memory/
ls /sys/firmware/devicetree/base/firmware/optee
dmesg | grep -i optee
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
