CVE-2025-71139 (GCVE-0-2025-71139)

Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-01-14 15:07
VLAI?
Title
kernel/kexec: fix IMA when allocation happens in CMA area
Summary
In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allocation happens in CMA area *** Bug description *** When I tested kexec with the latest kernel, I ran into the following warning: [ 40.712410] ------------[ cut here ]------------ [ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198 [...] [ 40.816047] Call trace: [ 40.818498] kimage_map_segment+0x144/0x198 (P) [ 40.823221] ima_kexec_post_load+0x58/0xc0 [ 40.827246] __do_sys_kexec_file_load+0x29c/0x368 [...] [ 40.855423] ---[ end trace 0000000000000000 ]--- *** How to reproduce *** This bug is only triggered when the kexec target address is allocated in the CMA area. If no CMA area is reserved in the kernel, use the "cma=" option in the kernel command line to reserve one. *** Root cause *** The commit 07d24902977e ("kexec: enable CMA based contiguous allocation") allocates the kexec target address directly on the CMA area to avoid copying during the jump. In this case, there is no IND_SOURCE for the kexec segment. But the current implementation of kimage_map_segment() assumes that IND_SOURCE pages exist and map them into a contiguous virtual address by vmap(). *** Solution *** If IMA segment is allocated in the CMA area, use its page_address() directly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 07d24902977e4704fab8472981e73a0ad6dfa1fd , < a843e4155c83211c55b1b6cc17eab27a6a2c5b6f (git)
Affected: 07d24902977e4704fab8472981e73a0ad6dfa1fd , < a3785ae5d334bb71d47a593d54c686a03fb9d136 (git)
Create a notification for this product.
    Linux Linux Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.18.4 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc4 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/kexec_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a843e4155c83211c55b1b6cc17eab27a6a2c5b6f",
              "status": "affected",
              "version": "07d24902977e4704fab8472981e73a0ad6dfa1fd",
              "versionType": "git"
            },
            {
              "lessThan": "a3785ae5d334bb71d47a593d54c686a03fb9d136",
              "status": "affected",
              "version": "07d24902977e4704fab8472981e73a0ad6dfa1fd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/kexec_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.4",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc4",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/kexec: fix IMA when allocation happens in CMA area\n\n*** Bug description ***\n\nWhen I tested kexec with the latest kernel, I ran into the following warning:\n\n[   40.712410] ------------[ cut here ]------------\n[   40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198\n[...]\n[   40.816047] Call trace:\n[   40.818498]  kimage_map_segment+0x144/0x198 (P)\n[   40.823221]  ima_kexec_post_load+0x58/0xc0\n[   40.827246]  __do_sys_kexec_file_load+0x29c/0x368\n[...]\n[   40.855423] ---[ end trace 0000000000000000 ]---\n\n*** How to reproduce ***\n\nThis bug is only triggered when the kexec target address is allocated in\nthe CMA area. If no CMA area is reserved in the kernel, use the \"cma=\"\noption in the kernel command line to reserve one.\n\n*** Root cause ***\nThe commit 07d24902977e (\"kexec: enable CMA based contiguous\nallocation\") allocates the kexec target address directly on the CMA area\nto avoid copying during the jump. In this case, there is no IND_SOURCE\nfor the kexec segment.  But the current implementation of\nkimage_map_segment() assumes that IND_SOURCE pages exist and map them\ninto a contiguous virtual address by vmap().\n\n*** Solution ***\nIf IMA segment is allocated in the CMA area, use its page_address()\ndirectly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-14T15:07:52.658Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a843e4155c83211c55b1b6cc17eab27a6a2c5b6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3785ae5d334bb71d47a593d54c686a03fb9d136"
        }
      ],
      "title": "kernel/kexec: fix IMA when allocation happens in CMA area",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71139",
    "datePublished": "2026-01-14T15:07:52.658Z",
    "dateReserved": "2026-01-13T15:30:19.656Z",
    "dateUpdated": "2026-01-14T15:07:52.658Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71139\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-14T15:16:03.693\",\"lastModified\":\"2026-01-14T16:25:12.057\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkernel/kexec: fix IMA when allocation happens in CMA area\\n\\n*** Bug description ***\\n\\nWhen I tested kexec with the latest kernel, I ran into the following warning:\\n\\n[   40.712410] ------------[ cut here ]------------\\n[   40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198\\n[...]\\n[   40.816047] Call trace:\\n[   40.818498]  kimage_map_segment+0x144/0x198 (P)\\n[   40.823221]  ima_kexec_post_load+0x58/0xc0\\n[   40.827246]  __do_sys_kexec_file_load+0x29c/0x368\\n[...]\\n[   40.855423] ---[ end trace 0000000000000000 ]---\\n\\n*** How to reproduce ***\\n\\nThis bug is only triggered when the kexec target address is allocated in\\nthe CMA area. If no CMA area is reserved in the kernel, use the \\\"cma=\\\"\\noption in the kernel command line to reserve one.\\n\\n*** Root cause ***\\nThe commit 07d24902977e (\\\"kexec: enable CMA based contiguous\\nallocation\\\") allocates the kexec target address directly on the CMA area\\nto avoid copying during the jump. In this case, there is no IND_SOURCE\\nfor the kexec segment.  But the current implementation of\\nkimage_map_segment() assumes that IND_SOURCE pages exist and map them\\ninto a contiguous virtual address by vmap().\\n\\n*** Solution ***\\nIf IMA segment is allocated in the CMA area, use its page_address()\\ndirectly.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/a3785ae5d334bb71d47a593d54c686a03fb9d136\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a843e4155c83211c55b1b6cc17eab27a6a2c5b6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.