CVE-2025-71070 Overview
A reference count leak vulnerability has been identified in the Linux kernel's ublk (userspace block device) subsystem. When a ublk server process releases a ublk character device file, any requests that were dispatched to the ublk server but not yet completed retain an incorrect reference count value of UBLK_REFCOUNT_INIT. This reference count leak incorrectly allows user copy and zero copy operations on completed ublk requests, potentially leading to memory safety issues and system instability.
Critical Impact
The leaked reference count enables unauthorized user copy and zero copy operations on completed ublk requests, while also triggering WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit() and ublk_deinit_queue() functions.
Affected Products
- Linux Kernel (ublk subsystem)
- Systems using UBLK_F_USER_COPY reference-counted data copy mode
- Systems using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG flags
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71070 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71070
Vulnerability Analysis
This vulnerability is a reference count leak in the Linux kernel's ublk driver, which manages userspace block devices. The issue was introduced by commit e63d2228ef83 ("ublk: simplify aborting ublk request"), which optimized the __ublk_fail_req() function to call __ublk_complete_rq() directly without decrementing the request reference count.
Before this optimization, __ublk_fail_req() would properly decrement the reference count before completing the failed request. The change inadvertently created a code path where reference counts are not properly cleaned up when the ublk server process exits while requests are still pending.
While commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk char dev is closed") addressed this issue for ublk devices using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG, it did not account for UBLK_F_USER_COPY, another reference-counted data copy mode that is also affected by this vulnerability.
Root Cause
The root cause is an incomplete condition check in the ublk_check_and_reset_active_ref() function. The function fails to include all reference-counted data copy modes when determining whether to reset reference counts for pending requests during ublk server exit. Specifically, the UBLK_F_USER_COPY mode was not included in the conditional check, allowing requests using this mode to retain their reference counts even after the ublk server process has terminated.
Attack Vector
The vulnerability can be triggered when a ublk server process unexpectedly exits or releases the ublk character device file while I/O requests are still in flight. The leaked reference count allows continued user copy and zero copy operations on memory regions associated with already-completed requests, potentially leading to use-after-free conditions or memory corruption. This is a local attack vector requiring access to the ublk subsystem.
Detection Methods for CVE-2025-71070
Indicators of Compromise
- Kernel warning messages containing WARN_ON_ONCE(refcount_read(&io->ref)) in ublk_queue_reinit() or ublk_deinit_queue() functions
- Unexpected ublk server process terminations followed by system instability
- Memory corruption indicators in systems actively using ublk userspace block devices
- Kernel log entries showing reference count warnings in the ublk subsystem
Detection Strategies
- Monitor kernel logs for WARN_ON_ONCE warnings related to ublk reference counts
- Implement alerting for unexpected ublk server process terminations
- Use kernel debugging tools to track reference count anomalies in the ublk subsystem
- Deploy runtime memory corruption detection tools on systems using ublk devices
Monitoring Recommendations
- Enable kernel logging with appropriate verbosity to capture ublk subsystem warnings
- Monitor for abnormal ublk server process lifecycle events
- Track kernel memory allocation patterns on systems using userspace block devices
- Implement system health monitoring for unexpected kernel warnings or crashes
How to Mitigate CVE-2025-71070
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Review systems using ublk with UBLK_F_USER_COPY flag for potential impact
- Ensure ublk server processes are properly managed and monitored for unexpected terminations
- Apply kernel patches from the official kernel git repositories
Patch Information
The fix corrects the condition in ublk_check_and_reset_active_ref() to include all reference-counted data copy modes, ensuring that any ublk requests still owned by the ublk server when it exits have their reference counts properly reset to 0.
Patches are available at:
Workarounds
- Ensure proper ublk server process management to minimize unexpected terminations
- Consider disabling ublk functionality if not required until patches can be applied
- Implement process monitoring and automatic restart mechanisms for ublk server processes
- Avoid using UBLK_F_USER_COPY mode on unpatched systems if alternative configurations are available
# Check for kernel warning messages related to ublk reference counts
dmesg | grep -i "ublk" | grep -i "refcount\|WARN"
# Monitor ublk server process status
systemctl status ublk-server 2>/dev/null || ps aux | grep ublk
# Verify kernel version for patch status
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
