CVE-2025-38062: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38062 is a vulnerability discovered in the Linux kernel related to the IOMMU translation for MSI message addresses. The vulnerability was disclosed on June 18, 2025, and affects the kernel's handling of MSI (Message Signaled Interrupts) descriptors (NVD, Wiz).

The vulnerability stems from a two-step process in IOMMU translation for MSI message addresses: first, iommu_dma_prepare_msi() stores a cookie pointer containing the IOVA address in the MSI descriptor during interrupt allocation, and second, iommu_dma_compose_msi_msg() uses this cookie pointer to compute a translated message address. This process has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps, with no locking at the irq layer to protect the lifetime (NVD).

The vulnerability could potentially lead to Use-After-Free (UAF) conditions in two scenarios: the cookie pointer and the unlocked call to iommu_get_domain_for_dev() on the MSI translation path. This occurs particularly when the iommu domain can be changed during VFIO operation (Wiz).

The vulnerability has been fixed by removing the cookie pointer and storing the translated IOVA address directly as an integer in the MSI descriptor, as this address is already known during iommu_dma_prepare_msi() and cannot change. The additional UAF related to iommu_get_domain_for_dev() is addressed in a separate patch that implements the IOMMU group mutex (Wiz).