CVE-2025-71298 - Vulnerability Details

- drm/tests: shmem: Hold reservation lock around madvise

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/tests: shmem: Hold reservation lock around madvise

Acquire and release the GEM object's reservation lock around calls
to the object's madvide operation. The tests use
drm_gem_shmem_madvise_locked(), which led to errors such as show below.

[ 58.339389] WARNING: CPU: 1 PID: 1352 at drivers/gpu/drm/drm_gem_shmem_helper.c:499 drm_gem_shmem_madvise_locked+0xde/0x140

Only export the new helper drm_gem_shmem_madvise() for Kunit tests.
This is not an interface for regular drivers.

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s DRM shmem tests contain a helper, drm_gem_shmem_madvise_locked, that releases the GEM object’s reservation lock while a madvise operation is in progress. This releases the lock too early, creating a race condition that manifests as kernel warning messages and could corrupt kernel state or cause a crash. The flaw is isolated to this test helper and is not part of the public DRM driver API.

Affected Systems

Any build of the Linux kernel that includes the unpatched drm_gem_shmem_madvise_locked helper is affected. Development and test environments that compile the original helper are impacted; production configurations that omit these test helpers are unlikely to suffer the issue.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in CISA KEV, indicating a very low exploitation probability. Because the flaw exists only in a test helper invoked by the Kunit test framework, the inferred attack vector requires executing that test helper in an environment where it is enabled. A successful exploitation could trigger kernel warnings, state corruption, or a crash, consistent with the moderate CVSS score of 5.5.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`954907f7147dc43e0d1cd4d430c21d143d5fdf55`	affected	< 9cc77691b5fd615625955cedf726da57543088f1
`954907f7147dc43e0d1cd4d430c21d143d5fdf55`	affected	< 07cfcab370da06f26c273306571cbb0bfa3b9c52
`954907f7147dc43e0d1cd4d430c21d143d5fdf55`	affected	< 607d07d8cc0b835a8701259f08a03dc149b79b4f

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[954907f7147dc43e0d1cd4d430c21d143d5fdf55,9cc77691b5fd615625955cedf726da57543088f1)`	affected	code_commit	—
`[954907f7147dc43e0d1cd4d430c21d143d5fdf55,07cfcab370da06f26c273306571cbb0bfa3b9c52)`	affected	code_commit	—
`[954907f7147dc43e0d1cd4d430c21d143d5fdf55,607d07d8cc0b835a8701259f08a03dc149b79b4f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that surrounds madvise calls with the reservation lock, replacing the problematic drm_gem_shmem_madvise_locked implementation with the updated drm_gem_shmem_madvise helper.
Disable or remove any build configurations that enable the old shmem test helper from the kernel when deploying in a production environment.
Keep the Linux kernel updated to versions that contain this fix.

Generated by OpenCVE AI on May 14, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/07cfcab370da06f26c273306571cbb0bfa3b9c52
https://git.kernel.org/stable/c/607d07d8cc0b835a8701259f08a03dc149b79b4f
https://git.kernel.org/stable/c/9cc77691b5fd615625955cedf726da57543088f1
https://lore.kernel.org/linux-cve-announce/2026050850-CVE-2025-71298-c20b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-71298
https://www.cve.org/CVERecord?id=CVE-2025-71298

History

Thu, 14 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362

Thu, 14 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050850-CVE-2025-71298-c20b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-71298 https://www.cve.org/CVERecord?id=CVE-2025-71298
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Fri, 08 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around madvise Acquire and release the GEM object's reservation lock around calls to the object's madvide operation. The tests use drm_gem_shmem_madvise_locked(), which led to errors such as show below. [ 58.339389] WARNING: CPU: 1 PID: 1352 at drivers/gpu/drm/drm_gem_shmem_helper.c:499 drm_gem_shmem_madvise_locked+0xde/0x140 Only export the new helper drm_gem_shmem_madvise() for Kunit tests. This is not an interface for regular drivers.
Title		drm/tests: shmem: Hold reservation lock around madvise
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/07cfcab370da06f26c273306571cbb0bfa3b9c52 https://git.kernel.org/stable/c/607d07d8cc0b835a8701259f08a03dc149b79b4f https://git.kernel.org/stable/c/9cc77691b5fd615625955cedf726da57543088f1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:11:09.797Z

Updated: 2026-05-11T21:57:29.659Z

Reserved: 2026-05-06T11:31:45.510Z

Link: CVE-2025-71298

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-08T14:16:31.153

Modified: 2026-05-14T19:21:09.073

Link: CVE-2025-71298

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2025-71298 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-15T00:00:06Z

Weaknesses

NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object