Vulnerabilities ›

CVE-2025-71155

High

In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory

CWE-787 — Weakness Type

                    Published: Jan 23, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

In the Linux kernel, the following vulnerability has been resolved:

KVM: s390: Fix gmap_helper_zap_one_page() again

A few checks were missing in gmap_helper_zap_one_page(), which can lead
to memory corruption in the guest under specific circumstances.

Add the missing checks.

🤖 AI Executive Summary

CVE-2025-71155 is a memory corruption vulnerability in the Linux kernel's KVM s390 implementation affecting the gmap_helper_zap_one_page() function. Missing validation checks can lead to guest memory corruption under specific circumstances. This vulnerability requires local access and affects systems running vulnerable Linux kernel versions on s390 architecture.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 28, 2026 07:52

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily affects Saudi organizations running KVM virtualization on s390 architecture systems, which is less common in typical Saudi enterprise environments but critical for: (1) Government data centers using IBM mainframe-based virtualization for sensitive applications, (2) Large financial institutions (SAMA-regulated banks) utilizing s390 systems for core banking infrastructure, (3) Telecommunications providers (STC, Mobily) running virtualized mainframe workloads. The memory corruption could lead to guest VM escape scenarios, compromising isolated workloads and potentially affecting multi-tenant environments.

🏢 Affected Saudi Sectors

Government Banking Telecommunications Data Centers Enterprise IT Infrastructure

🎯 MITRE ATT&CK Techniques

T1548 - Abuse Elevation Control Mechanism T1055 - Process Injection T1499 - Endpoint Denial of Service T1040 - Traffic Capture or Redirection

⚖️ Saudi Risk Score (AI)

6.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify systems running Linux kernel on s390 architecture with KVM enabled

2. Check kernel version against vulnerable versions (typically pre-6.x series with the unfixed gmap_helper_zap_one_page function)

3. Restrict local access to KVM hypervisor management interfaces



Patching Guidance:

1. Apply the latest Linux kernel security patch that includes the gmap_helper_zap_one_page() fix

2. Test patches in non-production environments first, particularly for critical banking/government systems

3. Schedule maintenance windows for kernel updates on production s390 systems

4. Verify patch application: grep 'gmap_helper_zap_one_page' in kernel changelog



Compensating Controls (if immediate patching not possible):

1. Implement strict access controls to KVM management interfaces

2. Disable KVM on non-essential s390 systems

3. Isolate s390 virtualization hosts on separate network segments

4. Monitor for unusual memory access patterns in guest VMs



Detection Rules:

1. Monitor kernel logs for memory corruption warnings or page fault anomalies

2. Alert on unexpected guest VM crashes or memory errors

3. Track unauthorized attempts to access KVM management interfaces

4. Monitor for guest-to-host escape attempts using SELinux/AppArmor logs

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد الأنظمة التي تقوم بتشغيل نواة لينكس على معمارية s390 مع تفعيل KVM

2. التحقق من إصدار النواة مقابل الإصدارات المعرضة للخطر

3. تقييد الوصول المحلي إلى واجهات إدارة KVM



إرشادات التصحيح:

1. تطبيق أحدث تصحيح أمان نواة لينكس يتضمن إصلاح gmap_helper_zap_one_page()

2. اختبار التصحيحات في بيئات غير الإنتاج أولاً

3. جدولة نوافذ الصيانة لتحديثات النواة على أنظمة s390 الإنتاجية

4. التحقق من تطبيق التصحيح



الضوابط البديلة:

1. تطبيق ضوابط وصول صارمة على واجهات إدارة KVM

2. تعطيل KVM على أنظمة s390 غير الأساسية

3. عزل مضيفي افتراضية s390 على قطاعات شبكة منفصلة

4. مراقبة أنماط الوصول غير العادية للذاكرة في الأجهزة الافتراضية الضيفة



قواعد الكشف:

1. مراقبة سجلات النواة للتحذيرات من تلف الذاكرة

2. التنبيه على أعطال الأجهزة الافتراضية غير المتوقعة

3. تتبع محاولات الوصول غير المصرح بها

4. مراقبة محاولات الهروب من الضيف إلى المضيف

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.2.1 - Monitoring and logging of access

🔵 SAMA CSF

SAMA CSF ID.RA-1 - Asset Management and Vulnerability Management SAMA CSF PR.IP-12 - System and Information Integrity SAMA CSF DE.CM-1 - Detection and Analysis

🟡 ISO 27001:2022

ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Secure development, test and acceptance ISO 27001:2022 A.12.2.1 - Information and other assets associated with information processing facilities

🔗 References & Sources 2

🔗

https://git.kernel.org/stable/c/2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/2f393c228cc519ddf19b8c6c05bf15723241aa96

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

📦 Affected Products / CPE 2 entries

linux:linux_kernel

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-787

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-01-23

Source Feed nvd

🇸🇦 Saudi Risk Score

6.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-787

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2025-71155

💬 Comments

Introduce Yourself

Sign In Required