Linux kernel: Shadow Call Stack bounds misuse may crash or misreport
CVE-2025-71102 Published on January 14, 2026
scs: fix a wrong parameter in __scs_magic
In the Linux kernel, the following vulnerability has been resolved:
scs: fix a wrong parameter in __scs_magic
__scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is
given. 'task_scs(tsk)' is the starting address of the task's shadow call
stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's
shadow call stack. Here should be '__scs_magic(task_scs(tsk))'.
The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE
is enabled, the shadow call stack usage checking function
(scs_check_usage) would scan an incorrect memory range. This could lead
1. **Inaccurate stack usage reporting**: The function would calculate
wrong usage statistics for the shadow call stack, potentially showing
incorrect value in kmsg.
2. **Potential kernel crash**: If the value of __scs_magic(tsk)is
greater than that of __scs_magic(task_scs(tsk)), the for loop may
access unmapped memory, potentially causing a kernel panic. However,
this scenario is unlikely because task_struct is allocated via the slab
allocator (which typically returns lower addresses), while the shadow
call stack returned by task_scs(tsk) is allocated via vmalloc(which
typically returns higher addresses).
However, since this is purely a debugging feature
(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not
unaffected. The bug only impacts developers and testers who are actively
debugging stack usage with this configuration enabled.
Products Associated with CVE-2025-71102
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Linux:- Version 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and below 1727e8bd69103a68963a5613a0ddb6d8d37df5d3 is affected.
- Version 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and below cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c is affected.
- Version 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and below 57ba40b001be27786d0570dd292289df748b306b is affected.
- Version 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and below 062774439d442882b44f5eab8c256ad3423ef284 is affected.
- Version 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and below 9ef28943471a16e4f9646bc3e8e2de148e7d8d7b is affected.
- Version 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and below a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 is affected.
- Version 5bbaf9d1fcb9be696ee9a61636ab6803556c70f2 and below 08bd4c46d5e63b78e77f2605283874bbe868ab19 is affected.
- Version 5.8 is affected.
- Before 5.8 is unaffected.
- Version 5.10.248, <= 5.10.* is unaffected.
- Version 5.15.198, <= 5.15.* is unaffected.
- Version 6.1.160, <= 6.1.* is unaffected.
- Version 6.6.120, <= 6.6.* is unaffected.
- Version 6.12.64, <= 6.12.* is unaffected.
- Version 6.18.3, <= 6.18.* is unaffected.
- Version 6.19, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.