CVE-2025-71084 Overview
CVE-2025-71084 is a memory leak vulnerability in the Linux kernel's RDMA (Remote Direct Memory Access) Connection Manager (CM) subsystem. The vulnerability occurs when a CM ID is destroyed while the CM event for multicast creation is still queued. In this scenario, cancel_work_sync() prevents the queued work from executing, which in turn prevents the proper destruction of the ah_attr structure. This results in a leaked reference count to the multicast GID (Global Identifier) table.
Critical Impact
This vulnerability can cause GID table reference leaks in InfiniBand devices, triggering kernel warnings and potentially leading to resource exhaustion over time in systems utilizing RDMA multicast functionality.
Affected Products
- Linux kernel with RDMA/CM subsystem enabled
- Systems utilizing InfiniBand multicast functionality
- Kernel versions prior to the patched stable releases
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71084 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71084
Vulnerability Analysis
The vulnerability resides in the Linux kernel's RDMA Connection Manager, specifically in the handling of multicast group operations. When a user application creates a multicast connection, the kernel allocates resources including a reference to the GID table entry. The CM subsystem uses work queues to process events asynchronously, including multicast creation events.
The flaw occurs during the teardown sequence when a CM ID is destroyed while a multicast creation event is still pending in the work queue. The cancel_work_sync() function is called to cancel any pending work, but this prevents the normal execution path that would properly release the ah_attr (Address Handle Attributes) structure and its associated GID table reference.
The kernel generates a warning message indicating the leak:
GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
Root Cause
The root cause is improper resource cleanup in the RDMA CM destruction path. When cancel_work_sync() is invoked to cancel pending multicast creation work, the code fails to account for resources that would have been freed by the canceled work item. Specifically, the ah_attr structure holds a reference to the GID table entry, and when the work is canceled before execution, this reference is never released.
The fix ensures that ah_attr is properly destroyed after canceling the work, with the implementation being safe to call even if the attribute was already destroyed through normal execution paths.
Attack Vector
This vulnerability has an unknown attack vector based on the available data. The issue is primarily a resource management bug that could be triggered through normal RDMA operations or potentially exploited by:
- Repeatedly creating and rapidly destroying multicast connections
- Timing attacks that increase the likelihood of hitting the race condition between CM ID destruction and work queue processing
- Local users with access to RDMA devices exhausting kernel resources through repeated exploitation
The vulnerability manifests in the RDMA CM subsystem's multicast handling code. The fix involves adding explicit cleanup of ah_attr after cancel_work_sync() to ensure the GID table reference is properly released regardless of whether the work item executed. See the kernel stable commits for detailed technical implementation.
Detection Methods for CVE-2025-71084
Indicators of Compromise
- Kernel warning messages containing "GID entry ref leak" in system logs
- Warnings referencing release_gid_table or gid_table_release_one functions in drivers/infiniband/core/cache.c
- Increasing GID table reference counts that are not released over time
- System instability in RDMA-enabled systems, particularly those using multicast functionality
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for RDMA-related warnings and GID leak messages
- Implement SentinelOne Singularity Platform's kernel integrity monitoring to detect anomalous kernel behavior patterns
- Use kernel tracing tools (ftrace, perf) to monitor cancel_work_sync and gid_table_release_one function interactions
- Configure alerting on WARNING entries from the InfiniBand core subsystem
Monitoring Recommendations
- Enable comprehensive kernel logging on systems with RDMA/InfiniBand hardware
- Deploy SentinelOne agents with kernel-level visibility for real-time detection of exploitation attempts
- Monitor system resource utilization for unexpected memory growth in kernel space
- Track InfiniBand device statistics for anomalous reference count patterns
How to Mitigate CVE-2025-71084
Immediate Actions Required
- Apply the latest kernel updates from your Linux distribution that include the RDMA/CM fix
- If immediate patching is not possible, consider temporarily disabling RDMA multicast functionality on critical systems
- Monitor affected systems for signs of resource exhaustion or kernel warnings
- Review system logs for any existing occurrences of GID table reference leaks
Patch Information
The vulnerability has been addressed in multiple kernel stable branches. The following commits contain the fix:
- Commit c0acdee513239e1d6e1b490f56be0e6837dfd162
- Commit ab668a58c4a2ccb6d54add7a76f2f955d15d0196
- Commit 5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3
- Commit 57f3cb6c84159d12ba343574df2115fb18dd83ca
- Commit 3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5
System administrators should update to a kernel version that includes one of these commits or apply the patch to their current kernel.
Workarounds
- Limit RDMA multicast functionality to trusted users and applications until patching is complete
- Implement resource monitoring and automatic system restart procedures if GID leaks are detected
- Consider using network namespaces to isolate RDMA-dependent applications
- Apply access controls to restrict access to InfiniBand devices (/dev/infiniband/*)
# Check current kernel version
uname -r
# Update kernel on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# Update kernel on RHEL/CentOS systems
sudo yum update kernel
# Verify RDMA module status
lsmod | grep rdma
# Monitor for GID leak warnings
dmesg | grep -i "GID entry ref leak"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
