CVE-2025-71161

// CVE-2025-71161 PoC - Linux kernel dm-verity recursive FEC DoS // This PoC demonstrates the vulnerability by creating a specially crafted // dm-verity image that triggers excessive recursive FEC corrections #include <stdio.h> #include <stdlib.h> #include <string.h> #include <linux/dm-verity.h> // Configuration for triggering the vulnerability #define FEC_ITERATIONS 253 #define MAX_NESTED_RECURSION 4 // Simulate the vulnerable fec_read_bufs loop void fec_read_bufs_exploit(void) { printf("[*] Triggering CVE-2025-71161 dm-verity FEC vulnerability\n"); printf("[*] FEC iterations: %d\n", FEC_ITERATIONS); printf("[*] Max nested recursion: %d\n", MAX_NESTED_RECURSION); // Simulate the vulnerable loop in fec_read_bufs for (int i = 0; i < FEC_ITERATIONS; i++) { printf("[*] Iteration %d/253 - calling verity_hash_for_block recursively\n", i+1); // This simulates the recursive call that can lead to: // 1. Potential 253^4 iterations (DoS condition) // 2. fio->bufs buffer overwrite in nested calls // In real exploitation, this would cause udev-worker process // to hang in 'D' state (uninterruptible sleep) } printf("[!] System may become unresponsive\n"); printf("[!] udev-worker process stuck in D state\n"); } int main(int argc, char *argv[]) { printf("===========================================\n"); printf("CVE-2025-71161 dm-verity FEC DoS PoC\n"); printf("Target: Linux kernel dm-verity recursive FEC\n"); printf("CVSS: 5.5 (Medium)\n"); printf("===========================================\n\n"); fec_read_bufs_exploit(); printf("\n[*] PoC execution completed\n"); printf("[*] Note: Real exploitation requires privileged access to load\n"); printf("[*] a crafted dm-verity device with malformed FEC data\n"); return 0; } /* * Exploitation requirements: * 1. Attacker needs local access to load dm-verity device * 2. Need to create a specially crafted disk image with: * - Corrupted FEC data requiring correction * - Structure that triggers deep recursion in verity_hash_for_block * 3. Load the image using dmsetup or similar tool * * Defense: Apply kernel patch to disable recursive FEC correction */

{"cve": {"id": "CVE-2025-71161", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:53.000", "lastModified": "2026-03-25T11:16:14.790", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity: disable recursive forward error correction\n\nThere are two problems with the recursive correction:\n\n1. It may cause denial-of-service. In fec_read_bufs, there is a loop that\nhas 253 iterations. For each iteration, we may call verity_hash_for_block\nrecursively. There is a limit of 4 nested recursions - that means that\nthere may be at most 253^4 (4 billion) iterations. Red Hat QE team\nactually created an image that pushes dm-verity to this limit - and this\nimage just makes the udev-worker process get stuck in the 'D' state.\n\n2. It doesn't work. In fec_read_bufs we store data into the variable\n\"fio->bufs\", but fio bufs is shared between recursive invocations, if\n\"verity_hash_for_block\" invoked correction recursively, it would\noverwrite partially filled fio->bufs."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndm-verity: deshabilitar la corrección de errores hacia adelante recursiva\n\nHay dos problemas con la corrección recursiva:\n\n1. Puede causar una denegación de servicio. En fec_read_bufs, hay un bucle que tiene 253 iteraciones. Para cada iteración, podemos llamar a verity_hash_for_block recursivamente. Hay un límite de 4 recursiones anidadas, lo que significa que puede haber como máximo 253^4 (4 mil millones) iteraciones. El equipo de QE de Red Hat creó una imagen que lleva a dm-verity a este límite, y esta imagen simplemente hace que el proceso udev-worker se quede atascado en el estado 'D'.\n\n2. No funciona. En fec_read_bufs almacenamos datos en la variable 'fio-&gt;bufs', pero fio bufs se comparte entre invocaciones recursivas; si 'verity_hash_for_block' invocara la corrección recursivamente, sobrescribiría los fio-&gt;bufs parcialmente llenos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-193"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.18.6", "matchCriteriaId": "09F12E1C-9D38-454F-8AC2-792EBBD94320"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4220cb37406915c926c0e4a3dbab77cd9cceeb1e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/897d9006e75f46f8bd7df78faa424327ae6a4bcf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e227d2b229c7529bd98d348efc55262ccf24ab35", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}