CVE-2025-71305: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71305 Overview

CVE-2025-71305 affects the Linux kernel's Direct Rendering Manager (DRM) DisplayPort Multi-Stream Transport (MST) subsystem. The vulnerability resides in drm_dp_atomic_release_time_slots() within drivers/gpu/drm/display/drm_dp_mst_topology.c. When a DisplayPort 2.1 monitor disconnects and drm_dp_delayed_destroy_work executes, the Virtual Channel Payload Identifier (VCPI) can become 0. The code then computes ~BIT(vcpi - 1), producing a negative shift exponent and a shift-out-of-bounds condition flagged by UBSAN. This corrupts the payload mask through integer overflow and can destabilize the graphics stack on affected systems.

Critical Impact

A negative bit shift in DisplayPort MST timeslot release produces a wrong payload mask, leading to kernel undefined behavior on DP 2.1 monitor disconnect events.

Affected Products

• Linux kernel — DRM DisplayPort MST subsystem (drivers/gpu/drm/display/drm_dp_mst_topology.c)
• Systems using the Intel xe GPU driver with DisplayPort 2.1 monitors
• Linux kernel versions prior to the fix, including 6.17.0-rc6 as reported in the bug trace

Discovery Timeline

• 2026-05-27 - CVE-2025-71305 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2025-71305

Vulnerability Analysis

The defect occurs during DisplayPort MST timeslot release. When releasing a timeslot, the kernel computes a payload mask using ~BIT(vcpi - 1). If the delayed destroy work runs after a DP 2.1 monitor disconnects, the VCPI value can reach 0. Subtracting 1 produces -1, which is then passed to the BIT() macro as a shift exponent.

UBSAN reports this at drm_dp_mst_topology.c:4575:36 as shift exponent -1 is negative. The resulting payload mask is incorrect due to integer overflow behavior in the bitwise operation. The faulty path runs inside drm_dp_delayed_destroy_work on the drm_dp_mst_wq workqueue, eventually invoked by atomic modeset checks such as mst_connector_atomic_check() and drm_atomic_helper_check_modeset().

Root Cause

The root cause is missing input validation on the VCPI value before it is used as a shift operand. VCPI identifiers should never legitimately be 0, but the timing window between monitor disconnection and delayed destroy processing leaves the field cleared. The fix adds a guard to skip payload mask updates when VCPI equals 0, preventing the negative shift. This is classified as a boundary condition error with shift-count undefined behavior [CWE-758].

Attack Vector

The trigger requires physical or local interaction with a DisplayPort 2.1 monitor — specifically, a disconnect event that races with the drm_dp_delayed_destroy_work handler. No remote attack vector is documented. The EPSS score is 0.024% (7.377 percentile), reflecting low likelihood of exploitation, and no public proof-of-concept or in-the-wild abuse has been reported. The practical impact is undefined behavior in kernel space and potential graphics subsystem instability rather than direct privilege escalation.

No verified exploitation code is available for this issue. See the upstream kernel commits referenced below for the patch implementation.

Detection Methods for CVE-2025-71305

Indicators of Compromise

• UBSAN kernel log entries containing shift-out-of-bounds in ../drivers/gpu/drm/display/drm_dp_mst_topology.c with shift exponent -1 is negative.
• Kernel call traces referencing drm_dp_atomic_release_time_slots.cold, drm_dp_delayed_destroy_work, and the drm_dp_mst_wq workqueue.
• DisplayPort 2.1 monitor disconnect events correlated with kworker/u*:* task warnings on systems running the xe or related DRM drivers.

Detection Strategies

• Enable CONFIG_UBSAN and CONFIG_UBSAN_SHIFT on test kernels to surface the shift-out-of-bounds report at runtime.
• Monitor dmesg and journalctl -k for the cut here UBSAN delimiter combined with drm_dp_mst_topology source references.
• Forward kernel logs to a centralized SIEM and alert on UBSAN signatures originating from DRM display helper modules.

Monitoring Recommendations

• Track kernel version inventory across endpoints to identify hosts still running pre-patch DRM display helper code.
• Correlate hotplug events with kernel warnings to detect repeated occurrences tied to specific DisplayPort 2.1 hardware.
• Establish a baseline for drm_dp_mst_wq workqueue activity and alert on associated WARN or UBSAN traces.

How to Mitigate CVE-2025-71305

Immediate Actions Required

• Apply the upstream Linux kernel fix that skips payload mask modification when vcpi == 0 in drm_dp_atomic_release_time_slots().
• Rebuild or upgrade kernels on systems that connect DisplayPort 2.1 monitors, prioritizing workstations using the Intel xe driver.
• Coordinate with distribution maintainers to pull in stable backports referenced in the upstream commits.

Patch Information

The fix is distributed across multiple stable branches via the following commits: Kernel Commit 342ccff, Kernel Commit 3f44cdb, Kernel Commit 4d2ccde, Kernel Commit 95dbd52, Kernel Commit ac9a7c3, and Kernel Commit d6afc75. The patch adds a guard so the payload mask is not updated when VCPI is 0.

Workarounds

• Avoid hot-unplugging DisplayPort 2.1 monitors on unpatched kernels where the xe or DP MST stack is in use.
• Disable DisplayPort MST in firmware or display settings on affected hosts until patched kernels are deployed.
• Restrict UBSAN panic-on-warn settings to prevent fault escalation while patches are being staged across the fleet.