HIGH
riscv Syscall Table Speculation Leak
CVE-2025-71203
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.0HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: riscv: Sanitize syscall table indexing under speculation The syscall number is a user-controlled value used to index into the syscall table. Use array_index_nospec() to clamp this value after the bounds check to prevent speculative out-of-bounds access and subsequent data leakage via cache side channels.
02KernelScan AI Analysis
Risk summary
An attacker with local code execution on RISC-V systems can potentially leak kernel memory contents by exploiting speculative execution during syscall handling. The attacker would make syscalls with crafted numbers to trigger speculative out-of-bounds access to the syscall table, then use cache timing attacks to extract the leaked data. This could expose sensitive kernel information.
Vulnerability analysis
Root Cause: The RISC-V syscall handler uses a user-controlled syscall number to directly index into the syscall table after bounds checking. However, during speculative execution, the CPU may speculatively execute the array access before the bounds check is resolved, potentially accessing out-of-bounds memory and leaking data through cache side channels.
Attack Surface: Local attack surface requiring the ability to make system calls. The vulnerability affects all RISC-V systems running the vulnerable kernel versions. Exploitation requires local code execution to control syscall numbers and perform cache timing attacks to extract leaked data.
Fix Mechanism: The patch adds array_index_nospec() to sanitize the syscall number after the bounds check. This function uses architecture-specific barriers to prevent speculative execution from accessing out-of-bounds array elements, effectively mitigating Spectre-style attacks on the syscall table.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.70 | c45848936ebd |
| 6.18 | 6.18.10 | 8b44e7537951 |
| 6.6 | 6.6.130 | 33743ec6679a |
| mainline | 6.19 | 25fd7ee7bf58 |