PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71161 Linux CVE debrief

CVE-2025-71161 is a medium-severity vulnerability in the Linux kernel's dm-verity subsystem, specifically affecting its forward error correction (FEC) mechanism. The flaw was resolved by disabling recursive forward error correction, which presented two distinct problems: a potential denial-of-service condition and functional corruption of recovery data. The vulnerability was published on January 23, 2026, and the record was last modified on June 1, 2026. The issue affects Linux kernel versions from 4.5 up to but not including 6.18.6. The CVSS 3.1 vector indicates a local attack vector with low attack complexity, requiring low privileges and no user interaction, resulting in a high availability impact. The underlying weakness is categorized as CWE-193 (Off-by-one Error). The denial-of-service condition arises from an unbounded iteration problem: the fec_read_bufs function contains a loop with 253 iterations, and each iteration may recursively call verity_hash_for_block with a maximum nesting depth of 4, theoretically permitting up to 253^4 (approximately 4 billion) iterations. The Red Hat QE team demonstrated this with a crafted image that causes udev-worker processes to enter an uninterruptible sleep state ('D' state). Separately, the recursive correction mechanism was functionally broken because fio->bufs is shared across recursive invocations, causing partial data overwrites when verity_hash_for_block triggers nested corrections. Multiple stable kernel patches have been applied to address this vulnerability.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-23
Original CVE updated
2026-06-01
Advisory published
2026-01-23
Advisory updated
2026-06-01

Who should care

Linux system administrators managing dm-verity-protected deployments, particularly those using forward error correction for resilience in embedded systems, mobile devices, or secure boot environments. Security teams responsible for kernel patch management and vulnerability response. Organizations relying on dm-verity for integrity verification in container runtime, Android, or IoT platforms where local attackers may control crafted disk images.

Technical summary

The dm-verity driver in the Linux kernel implements transparent integrity verification for block devices, with optional forward error correction (FEC) to recover from minor data corruption. CVE-2025-71161 stems from a flawed recursive FEC design where fec_read_bufs could invoke verity_hash_for_block recursively up to 4 levels deep. Each recursion level operates within a 253-iteration loop, creating exponential iteration growth (253^4 maximum). This architectural defect enables local attackers with ability to present a maliciously crafted dm-verity image to trigger unbounded processing, causing kernel worker threads to enter uninterruptible sleep. Additionally, the fio->bufs buffer is shared across recursive invocations, so nested corrections overwrite partially populated recovery buffers, rendering the FEC mechanism functionally incorrect. The fix disables recursive forward error correction entirely, eliminating both the DoS vector and the data corruption bug.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant stable kernel patch for your distribution to disable recursive forward error correction in dm-verity.
  • Upgrade to Linux kernel version 6.18.6 or later, or apply the vendor-provided backported patch for supported stable branches.
  • Monitor systems using dm-verity with FEC for processes stuck in uninterruptible sleep ('D' state), which may indicate exploitation attempts.
  • Validate integrity of dm-verity-protected images before deployment, as recursive FEC could corrupt recovery data even before the fix.
  • Review custom dm-verity configurations that enable forward error correction to ensure patches have been applied.

Evidence notes

Vulnerability description sourced from official CVE record and NVD data. Technical details regarding fec_read_bufs, verity_hash_for_block recursion, fio->bufs shared state, and Red Hat QE reproduction confirmed in CVE description. Affected version range 4.5 to <6.18.6 derived from NVD CPE criteria. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H from NVD. CWE-193 classification from NVD weakness data. Patch links verified through kernel.org stable tree references.

Official resources

2026-01-23