CVE-2025-71139

{"id": "CVE-2025-71139", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "affected": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "affectedData": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "07d24902977e4704fab8472981e73a0ad6dfa1fd", "lessThan": "a843e4155c83211c55b1b6cc17eab27a6a2c5b6f", "versionType": "git"}, {"status": "affected", "version": "07d24902977e4704fab8472981e73a0ad6dfa1fd", "lessThan": "a3785ae5d334bb71d47a593d54c686a03fb9d136", "versionType": "git"}], "programFiles": ["kernel/kexec_core.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.17"}, {"status": "unaffected", "version": "0", "lessThan": "6.17", "versionType": "semver"}, {"status": "unaffected", "version": "6.18.4", "versionType": "semver", "lessThanOrEqual": "6.18.*"}, {"status": "unaffected", "version": "6.19", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["kernel/kexec_core.c"], "defaultStatus": "affected"}]}], "published": "2026-01-14T15:16:03.693", "references": [{"url": "https://git.kernel.org/stable/c/a3785ae5d334bb71d47a593d54c686a03fb9d136", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a843e4155c83211c55b1b6cc17eab27a6a2c5b6f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/kexec: fix IMA when allocation happens in CMA area\n\n*** Bug description ***\n\nWhen I tested kexec with the latest kernel, I ran into the following warning:\n\n[ 40.712410] ------------[ cut here ]------------\n[ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198\n[...]\n[ 40.816047] Call trace:\n[ 40.818498] kimage_map_segment+0x144/0x198 (P)\n[ 40.823221] ima_kexec_post_load+0x58/0xc0\n[ 40.827246] __do_sys_kexec_file_load+0x29c/0x368\n[...]\n[ 40.855423] ---[ end trace 0000000000000000 ]---\n\n*** How to reproduce ***\n\nThis bug is only triggered when the kexec target address is allocated in\nthe CMA area. If no CMA area is reserved in the kernel, use the \"cma=\"\noption in the kernel command line to reserve one.\n\n*** Root cause ***\nThe commit 07d24902977e (\"kexec: enable CMA based contiguous\nallocation\") allocates the kexec target address directly on the CMA area\nto avoid copying during the jump. In this case, there is no IND_SOURCE\nfor the kexec segment. But the current implementation of\nkimage_map_segment() assumes that IND_SOURCE pages exist and map them\ninto a contiguous virtual address by vmap().\n\n*** Solution ***\nIf IMA segment is allocated in the CMA area, use its page_address()\ndirectly."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nkernel/kexec: corregir IMA cuando la asignaci\u00f3n se produce en el \u00e1rea CMA\n\n* Descripci\u00f3n del error *\n\nCuando prob\u00e9 kexec con el kernel m\u00e1s reciente, me encontr\u00e9 con la siguiente advertencia:\n\n[ 40.712410] ------------[ cut here ]------------\n[ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198\n[...]\n[ 40.816047] Call trace:\n[ 40.818498] kimage_map_segment+0x144/0x198 (P)\n[ 40.823221] ima_kexec_post_load+0x58/0xc0\n[ 40.827246] __do_sys_kexec_file_load+0x29c/0x368\n[...]\n[ 40.855423] ---[ end trace 0000000000000000 ]---\n\n* C\u00f3mo reproducir *\n\nEste error solo se activa cuando la direcci\u00f3n de destino de kexec se asigna en el \u00e1rea CMA. Si no se reserva ning\u00fan \u00e1rea CMA en el kernel, use la opci\u00f3n 'cma=' en la l\u00ednea de comandos del kernel para reservar una.\n\n* Causa ra\u00edz *\nEl commit 07d24902977e ('kexec: habilitar asignaci\u00f3n contigua basada en CMA') asigna la direcci\u00f3n de destino de kexec directamente en el \u00e1rea CMA para evitar la copia durante el salto. En este caso, no hay IND_SOURCE para el segmento kexec. Pero la implementaci\u00f3n actual de kimage_map_segment() asume que las p\u00e1ginas IND_SOURCE existen y las mapea en una direcci\u00f3n virtual contigua mediante vmap().\n\n* Soluci\u00f3n *\nSi el segmento IMA se asigna en el \u00e1rea CMA, use su page_address() directamente."}], "lastModified": "2026-06-17T10:03:44.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "312F9EA6-4B54-4FDE-90FB-1414FF6BD0E6", "versionEndExcluding": "6.18.4", "versionStartIncluding": "6.17.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}