CVE-2025-71068 Overview
CVE-2025-71068 is a Linux kernel vulnerability in the SUNRPC server-side RDMA (svcrdma) transport. The function svc_rdma_copy_inline_range indexes rqstp->rq_pages[rc_curpage] without verifying that rc_curpage stays within the allocated page array. The fix adds bound checks before the first use and after advancing to a new page. The flaw affects Linux kernel 6.19 release candidates and earlier maintained branches receiving the backport.
Critical Impact
A local low-privileged actor on a system running an RDMA-enabled NFS server can trigger out-of-bounds memory access in the kernel, leading to memory corruption, information disclosure, or denial of service.
Affected Products
- Linux kernel 6.19-rc1 through 6.19-rc8
- Linux kernel stable branches receiving the svc_rdma_copy_inline_range change
- Distributions shipping the affected svcrdma server code in net/sunrpc/xprtrdma/
Discovery Timeline
- 2026-01-13 - CVE-2025-71068 published to NVD
- 2026-04-03 - Last updated in NVD database
Technical Details for CVE-2025-71068
Vulnerability Analysis
The vulnerability resides in svc_rdma_copy_inline_range, part of the kernel's server-side Remote Direct Memory Access (RDMA) transport for SUNRPC. The function copies inline payload data from an incoming RPC request into pages from rqstp->rq_pages, using rc_curpage as the page index. The original implementation advanced rc_curpage as it filled pages but never validated that the index remained within the bounds of the allocated array.
When a crafted or malformed RDMA request supplies length parameters that drive the copy past the last allocated page, the function dereferences rq_pages[rc_curpage] beyond the array boundary. This yields an out-of-bounds read or write in kernel memory depending on the operation that follows the page lookup. The CWE classification is recorded as NVD-CWE-noinfo, but the defect aligns with classic boundary condition errors in array indexing.
The attack vector is local with low privileges and no user interaction. The vulnerability impacts confidentiality, integrity, and availability because kernel-mode memory corruption can be leveraged for privilege escalation or system crashes.
Root Cause
The root cause is missing boundary validation on the rc_curpage index inside svc_rdma_copy_inline_range. The patches insert guards before the first dereference of rq_pages[rc_curpage] and after each increment of the index, refusing to proceed when the index would exceed the allocated page count.
Attack Vector
An attacker requires local access to a host where an RDMA-aware NFS or RPC server is processing inline requests. By sending RPC messages with crafted segment lengths over the RDMA transport, the attacker forces svc_rdma_copy_inline_range to advance rc_curpage beyond the valid range, corrupting kernel memory or leaking data from adjacent allocations.
No public proof-of-concept exploit is available, and EPSS scoring reflects a low probability of observed exploitation. See the upstream commits for the precise code change: Linux kernel commit a22316f5 and Linux kernel commit da1ccfc4.
Detection Methods for CVE-2025-71068
Indicators of Compromise
- Kernel oops or panic messages referencing svc_rdma_copy_inline_range, svcrdma, or xprtrdma in dmesg or /var/log/messages
- KASAN reports flagging out-of-bounds access against rqstp->rq_pages on hosts running RDMA-backed NFS servers
- Unexpected NFS-over-RDMA service restarts or hangs correlated with anomalous client traffic
Detection Strategies
- Inventory all Linux hosts loading the svcrdma and rpcrdma modules using lsmod and flag those running unpatched kernel versions
- Enable Kernel Address Sanitizer (KASAN) in test environments to surface the out-of-bounds dereference during fuzzing of RDMA RPC traffic
- Correlate kernel ring buffer entries with RDMA client connection logs to identify malformed inline RPC requests
Monitoring Recommendations
- Forward dmesg, journald, and audit logs from NFS-over-RDMA servers to a central analytics platform for kernel fault signatures
- Alert on repeated svcrdma-related warnings or BUG entries from the same RDMA peer
- Track kernel package versions across the fleet to confirm rollout of the fixed builds
How to Mitigate CVE-2025-71068
Immediate Actions Required
- Apply the upstream stable kernel updates that include the svc_rdma_copy_inline_range bound checks
- Restrict access to NFS-over-RDMA endpoints to trusted networks and authenticated clients until patches are deployed
- Unload the svcrdma module on systems that do not require server-side RDMA RPC if patching is delayed
Patch Information
Fixes are merged in upstream Linux and propagated to maintained stable branches. Reference the patches at Linux kernel commit 5f140b52, Linux kernel commit 7ba826aa, Linux kernel commit a22316f5, Linux kernel commit d1bea0ce, and Linux kernel commit da1ccfc4. Apply the vendor kernel update corresponding to your distribution and reboot to load the patched image.
Workarounds
- Disable the NFS-over-RDMA server by stopping the NFS service and removing the svcrdma module via modprobe -r svcrdma
- Block RDMA transport ports at the network layer to prevent untrusted clients from reaching the affected code path
- Run unprivileged workloads in containers or VMs with no access to RDMA devices to reduce the local attack surface
# Verify svcrdma module status and unload if not required
lsmod | grep svcrdma
systemctl stop nfs-server
modprobe -r svcrdma
# Prevent automatic load
echo 'blacklist svcrdma' | sudo tee /etc/modprobe.d/blacklist-svcrdma.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
