CVE-2025-21770 (GCVE-0-2025-21770)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-10-01 19:36
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: iommu: Fix potential memory leak in iopf_queue_remove_device() The iopf_queue_remove_device() helper removes a device from the per-iommu iopf queue when PRI is disabled on the device. It responds to all outstanding iopf's with an IOMMU_PAGE_RESP_INVALID code and detaches the device from the queue. However, it fails to release the group structure that represents a group of iopf's awaiting for a response after responding to the hardware. This can cause a memory leak if iopf_queue_remove_device() is called with pending iopf's. Fix it by calling iopf_free_group() after the iopf group is responded.
Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 19911232713573a2ebea84a25bd4d71d024ed86b , < db60d2d896a17decd58d143eef92cf22eb0a0176 (git)
Affected: 19911232713573a2ebea84a25bd4d71d024ed86b , < 90d5429cd2921ca2714684ed525898d431bb9283 (git)
Affected: 19911232713573a2ebea84a25bd4d71d024ed86b , < 9759ae2cee7cd42b95f1c48aa3749bd02b5ddb08 (git)
Create a notification for this product.
    Linux Linux Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21770",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:30:41.180209Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:36:40.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/io-pgfault.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "db60d2d896a17decd58d143eef92cf22eb0a0176",
              "status": "affected",
              "version": "19911232713573a2ebea84a25bd4d71d024ed86b",
              "versionType": "git"
            },
            {
              "lessThan": "90d5429cd2921ca2714684ed525898d431bb9283",
              "status": "affected",
              "version": "19911232713573a2ebea84a25bd4d71d024ed86b",
              "versionType": "git"
            },
            {
              "lessThan": "9759ae2cee7cd42b95f1c48aa3749bd02b5ddb08",
              "status": "affected",
              "version": "19911232713573a2ebea84a25bd4d71d024ed86b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/io-pgfault.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix potential memory leak in iopf_queue_remove_device()\n\nThe iopf_queue_remove_device() helper removes a device from the per-iommu\niopf queue when PRI is disabled on the device. It responds to all\noutstanding iopf\u0027s with an IOMMU_PAGE_RESP_INVALID code and detaches the\ndevice from the queue.\n\nHowever, it fails to release the group structure that represents a group\nof iopf\u0027s awaiting for a response after responding to the hardware. This\ncan cause a memory leak if iopf_queue_remove_device() is called with\npending iopf\u0027s.\n\nFix it by calling iopf_free_group() after the iopf group is responded."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:44.300Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/db60d2d896a17decd58d143eef92cf22eb0a0176"
        },
        {
          "url": "https://git.kernel.org/stable/c/90d5429cd2921ca2714684ed525898d431bb9283"
        },
        {
          "url": "https://git.kernel.org/stable/c/9759ae2cee7cd42b95f1c48aa3749bd02b5ddb08"
        }
      ],
      "title": "iommu: Fix potential memory leak in iopf_queue_remove_device()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21770",
    "datePublished": "2025-02-27T02:18:18.570Z",
    "dateReserved": "2024-12-29T08:45:45.762Z",
    "dateUpdated": "2025-10-01T19:36:40.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21770\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T03:15:17.677\",\"lastModified\":\"2025-10-01T20:18:23.680\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: Fix potential memory leak in iopf_queue_remove_device()\\n\\nThe iopf_queue_remove_device() helper removes a device from the per-iommu\\niopf queue when PRI is disabled on the device. It responds to all\\noutstanding iopf\u0027s with an IOMMU_PAGE_RESP_INVALID code and detaches the\\ndevice from the queue.\\n\\nHowever, it fails to release the group structure that represents a group\\nof iopf\u0027s awaiting for a response after responding to the hardware. This\\ncan cause a memory leak if iopf_queue_remove_device() is called with\\npending iopf\u0027s.\\n\\nFix it by calling iopf_free_group() after the iopf group is responded.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu: Se corrige una posible p\u00e9rdida de memoria en iopf_queue_remove_device() El asistente iopf_queue_remove_device() elimina un dispositivo de la cola de iopf por iommu cuando PRI est\u00e1 deshabilitado en el dispositivo. Responde a todos los iopf pendientes con un c\u00f3digo IOMMU_PAGE_RESP_INVALID y separa el dispositivo de la cola. Sin embargo, no libera la estructura de grupo que representa un grupo de iopf que esperan una respuesta despu\u00e9s de responder al hardware. Esto puede provocar una p\u00e9rdida de memoria si se llama a iopf_queue_remove_device() con iopf pendientes. Corr\u00edjalo llamando a iopf_free_group() despu\u00e9s de que se responda al grupo de iopf.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.9\",\"versionEndExcluding\":\"6.12.16\",\"matchCriteriaId\":\"363D69C4-4671-4259-BDC7-019561CF061F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.4\",\"matchCriteriaId\":\"2A2093ED-74A9-43F9-AC72-50030F374EA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/90d5429cd2921ca2714684ed525898d431bb9283\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9759ae2cee7cd42b95f1c48aa3749bd02b5ddb08\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/db60d2d896a17decd58d143eef92cf22eb0a0176\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21770\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T19:30:41.180209Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-401\", \"description\": \"CWE-401 Missing Release of Memory after Effective Lifetime\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T16:56:01.175Z\"}}], \"cna\": {\"title\": \"iommu: Fix potential memory leak in iopf_queue_remove_device()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"19911232713573a2ebea84a25bd4d71d024ed86b\", \"lessThan\": \"db60d2d896a17decd58d143eef92cf22eb0a0176\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"19911232713573a2ebea84a25bd4d71d024ed86b\", \"lessThan\": \"90d5429cd2921ca2714684ed525898d431bb9283\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"19911232713573a2ebea84a25bd4d71d024ed86b\", \"lessThan\": \"9759ae2cee7cd42b95f1c48aa3749bd02b5ddb08\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/iommu/io-pgfault.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.9\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.9\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.12.16\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.4\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/iommu/io-pgfault.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/db60d2d896a17decd58d143eef92cf22eb0a0176\"}, {\"url\": \"https://git.kernel.org/stable/c/90d5429cd2921ca2714684ed525898d431bb9283\"}, {\"url\": \"https://git.kernel.org/stable/c/9759ae2cee7cd42b95f1c48aa3749bd02b5ddb08\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: Fix potential memory leak in iopf_queue_remove_device()\\n\\nThe iopf_queue_remove_device() helper removes a device from the per-iommu\\niopf queue when PRI is disabled on the device. It responds to all\\noutstanding iopf\u0027s with an IOMMU_PAGE_RESP_INVALID code and detaches the\\ndevice from the queue.\\n\\nHowever, it fails to release the group structure that represents a group\\nof iopf\u0027s awaiting for a response after responding to the hardware. This\\ncan cause a memory leak if iopf_queue_remove_device() is called with\\npending iopf\u0027s.\\n\\nFix it by calling iopf_free_group() after the iopf group is responded.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.16\", \"versionStartIncluding\": \"6.9\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.4\", \"versionStartIncluding\": \"6.9\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14\", \"versionStartIncluding\": \"6.9\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T07:20:44.300Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21770\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-01T19:36:40.725Z\", \"dateReserved\": \"2024-12-29T08:45:45.762Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-02-27T02:18:18.570Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.