CVE-2025-71095

MEDIUM EPSS 1.7%
Published Jan 13, 20265mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 13, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥5.13.1  –  <6.1.160
linuxlinux_kernel*≥6.2  –  <6.6.120
linuxlinux_kernel*≥6.7  –  <6.12.64
linuxlinux_kernel*≥6.13  –  <6.18.4
linuxlinux_kernel5.13any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13
    Patch