CVE-2025-71139

Description

In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allocation happens in CMA area *** Bug description *** When I tested kexec with the latest kernel, I ran into the following warning: [ 40.712410] ------------[ cut here ]------------ [ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198 [...] [ 40.816047] Call trace: [ 40.818498] kimage_map_segment+0x144/0x198 (P) [ 40.823221] ima_kexec_post_load+0x58/0xc0 [ 40.827246] __do_sys_kexec_file_load+0x29c/0x368 [...] [ 40.855423] ---[ end trace 0000000000000000 ]--- *** How to reproduce *** This bug is only triggered when the kexec target address is allocated in the CMA area. If no CMA area is reserved in the kernel, use the "cma=" option in the kernel command line to reserve one. *** Root cause *** The commit 07d24902977e ("kexec: enable CMA based contiguous allocation") allocates the kexec target address directly on the CMA area to avoid copying during the jump. In this case, there is no IND_SOURCE for the kexec segment. But the current implementation of kimage_map_segment() assumes that IND_SOURCE pages exist and map them into a contiguous virtual address by vmap(). *** Solution *** If IMA segment is allocated in the CMA area, use its page_address() directly.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* - VULNERABLE

Linux Kernel 6.1+ (with kexec CMA support)

Linux Kernel < 6.12 (with commit 07d24902977e)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-71139 PoC - Trigger kexec with CMA allocation
// This PoC demonstrates triggering the vulnerability by loading a kexec image
// when the target address is allocated in the CMA area

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/klog.h>
#include <sys/mman.h>

int main() {
    printf("[*] CVE-2025-71139 PoC - Linux kernel kexec IMA CMA vulnerability\n");
    printf("[*] Requires: CMA area reserved (cma= kernel parameter)\n");
    printf("[*] Requires: kexec-tools installed and configured\n\n");

    // Check if running as root
    if (geteuid() != 0) {
        printf("[!] This exploit requires root privileges\n");
        return 1;
    }

    // Method 1: Trigger via kexec_file_load syscall
    // Requires a kernel image and proper setup
    int kernel_fd = open("/boot/vmlinuz", O_RDONLY);
    if (kernel_fd < 0) {
        printf("[!] Kernel image not found. Try: kexec -l /boot/vmlinuz\n");
        return 1;
    }

    // Trigger kexec with CMA-allocated IMA segment
    // This will cause the WARNING in kimage_map_segment()
    printf("[*] Attempting kexec_file_load syscall...\n");
    printf("[*] If CMA area is reserved, this should trigger the bug\n");
    printf("[!] Expected: WARNING at kernel/kexec_core.c:1001\n");
    printf("[!] Result: kimage_map_segment+0x144/0x198\n");
    
    // The actual syscall would require proper kernel command line
    // syscall(SYS_kexec_file_load, kernel_fd, 0, 0, 0);

    close(kernel_fd);
    
    // Method 2: Check dmesg for the warning
    printf("\n[*] Checking kernel logs for WARNING...\n");
    system("dmesg | grep -i 'kimage_map_segment\|IMA.*kexec' | tail -20");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71139
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71139
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71139/
[4] VulDB https://vuldb.com/cve/CVE-2025-71139
[5] https://git.kernel.org/stable/c/a3785ae5d334bb71d47a593d54c686a03fb9d136
[6] https://git.kernel.org/stable/c/a843e4155c83211c55b1b6cc17eab27a6a2c5b6f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71139", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:03.693", "lastModified": "2026-03-25T18:03:03.093", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/kexec: fix IMA when allocation happens in CMA area\n\n*** Bug description ***\n\nWhen I tested kexec with the latest kernel, I ran into the following warning:\n\n[ 40.712410] ------------[ cut here ]------------\n[ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198\n[...]\n[ 40.816047] Call trace:\n[ 40.818498] kimage_map_segment+0x144/0x198 (P)\n[ 40.823221] ima_kexec_post_load+0x58/0xc0\n[ 40.827246] __do_sys_kexec_file_load+0x29c/0x368\n[...]\n[ 40.855423] ---[ end trace 0000000000000000 ]---\n\n*** How to reproduce ***\n\nThis bug is only triggered when the kexec target address is allocated in\nthe CMA area. If no CMA area is reserved in the kernel, use the \"cma=\"\noption in the kernel command line to reserve one.\n\n*** Root cause ***\nThe commit 07d24902977e (\"kexec: enable CMA based contiguous\nallocation\") allocates the kexec target address directly on the CMA area\nto avoid copying during the jump. In this case, there is no IND_SOURCE\nfor the kexec segment. But the current implementation of\nkimage_map_segment() assumes that IND_SOURCE pages exist and map them\ninto a contiguous virtual address by vmap().\n\n*** Solution ***\nIf IMA segment is allocated in the CMA area, use its page_address()\ndirectly."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nkernel/kexec: corregir IMA cuando la asignación se produce en el área CMA\n\n* Descripción del error *\n\nCuando probé kexec con el kernel más reciente, me encontré con la siguiente advertencia:\n\n[ 40.712410] ------------[ cut here ]------------\n[ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198\n[...]\n[ 40.816047] Call trace:\n[ 40.818498] kimage_map_segment+0x144/0x198 (P)\n[ 40.823221] ima_kexec_post_load+0x58/0xc0\n[ 40.827246] __do_sys_kexec_file_load+0x29c/0x368\n[...]\n[ 40.855423] ---[ end trace 0000000000000000 ]---\n\n* Cómo reproducir *\n\nEste error solo se activa cuando la dirección de destino de kexec se asigna en el área CMA. Si no se reserva ningún área CMA en el kernel, use la opción 'cma=' en la línea de comandos del kernel para reservar una.\n\n* Causa raíz *\nEl commit 07d24902977e ('kexec: habilitar asignación contigua basada en CMA') asigna la dirección de destino de kexec directamente en el área CMA para evitar la copia durante el salto. En este caso, no hay IND_SOURCE para el segmento kexec. Pero la implementación actual de kimage_map_segment() asume que las páginas IND_SOURCE existen y las mapea en una dirección virtual contigua mediante vmap().\n\n* Solución *\nSi el segmento IMA se asigna en el área CMA, use su page_address() directamente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.1", "versionEndExcluding": "6.18.4", "matchCriteriaId": "312F9EA6-4B54-4FDE-90FB-1414FF6BD0E6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*", "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44 ... (truncated)