HIGH Published 2026-02-18

crypto IAA CompressionMode OOB

CVE-2025-71231

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned. If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode(). Fix both issues by returning either a valid index or -EINVAL.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A programming error in Intel's IAA crypto driver could allow reading memory outside of an array when all compression mode slots are occupied. This could potentially leak kernel memory contents or cause system instability, but requires local access and use of the IAA compression hardware.

Affecteddrivers/crypto/intel/iaa/iaa_crypto_main.c

Vulnerability analysis

Root Cause: The find_empty_iaa_compression_mode() function has a logic error where it returns an out-of-bounds index (IAA_COMP_MODES_MAX) when no empty compression mode slot is found. The function initializes variable 'i' to -EINVAL but the for loop immediately overwrites it, and if the loop completes without finding an empty slot, it returns the invalid index IAA_COMP_MODES_MAX instead of an error code.

Attack Surface: Local attack surface requiring access to Intel Analytics Accelerator (IAA) crypto functionality. The vulnerability is triggered when the compression mode array is full and a new mode is being added, leading to potential out-of-bounds array access in add_iaa_compression_mode().

Fix Mechanism: The patch restructures the function to return immediately when an empty slot is found (early return pattern), and returns -EINVAL if no empty slot is available after checking all slots. This prevents returning the out-of-bounds index IAA_COMP_MODES_MAX.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.72	`c77b33b58512`
6.18	6.18.11	`d75207465eed`
6.19	6.19.1	`de16f5bca05c`
mainline	7.0	`48329301969f`