Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71084

CVE-2025-71084: Linux Kernel Memory Leak Vulnerability

CVE-2025-71084 is a memory leak flaw in the Linux Kernel RDMA/CM that causes GID table reference leaks when CM IDs are destroyed. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-71084 Overview

CVE-2025-71084 is a reference count leak in the Linux kernel's RDMA Connection Manager (RDMA/cm) subsystem. The flaw resides in the multicast GID table handling logic. When a CM ID is destroyed while a CM event for multicast creation remains queued, cancel_work_sync() prevents the deferred work from executing. This blocks the destruction of the ah_attr structure, leaking a GID table reference and triggering a kernel WARN.

The issue affects multiple Linux kernel versions, including the 6.19 release candidates and earlier stable branches dating back to 5.12. Exploitation requires local access with low privileges and results in availability impact through resource exhaustion.

Critical Impact

A local low-privileged user repeatedly destroying CM IDs during queued multicast events can leak GID table references, exhaust kernel resources, and trigger kernel warnings that degrade system availability.

Affected Products

  • Linux Kernel versions prior to the patched commits across multiple stable branches
  • Linux Kernel 5.12 (initial introduction of the affected code path)
  • Linux Kernel 6.19-rc1 through 6.19-rc8

Discovery Timeline

  • 2026-01-13 - CVE-2025-71084 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71084

Vulnerability Analysis

The vulnerability exists in the Linux kernel's InfiniBand RDMA Communication Manager (CM) subsystem, which manages connection establishment for Remote Direct Memory Access transports. The CM subsystem queues work items to handle multicast group join events asynchronously. Each multicast event carries an address handle attribute (ah_attr) that holds a reference to an entry in the GID (Global Identifier) table.

When userspace destroys a CM ID while a multicast creation event remains queued, the kernel invokes cancel_work_sync() to prevent the pending work from running. However, the destruction logic for ah_attr lives inside that cancelled work handler. The cancellation path skips releasing the GID reference, leaving the refcount unbalanced.

The resulting state produces the following kernel warning in drivers/infiniband/core/cache.c:

GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809
release_gid_table drivers/infiniband/core/cache.c:806 [inline]
gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886

The syz1 device name in the trace indicates the bug was reproduced via syzkaller fuzzing.

Root Cause

The root cause is a missing cleanup step on the cancellation path. The original code relied on the queued work to call the ah_attr destructor, which in turn drops the GID table reference. When cancel_work_sync() runs, the work never executes, and ah_attr is never destroyed. This pattern fits the classification [NVD-CWE-Other] and reflects a resource management error where an error or teardown path fails to release acquired references.

Attack Vector

A local attacker with permission to open an RDMA CM userspace device can craft a sequence of multicast join and CM ID destruction operations. Repeated triggering of the race window between event queuing and CM ID destruction leaks GID table references on each iteration. Sustained abuse exhausts kernel resources tied to the device and produces continuous kernel warnings, ultimately impacting availability. The vector is local with no user interaction required.

Detection Methods for CVE-2025-71084

Indicators of Compromise

  • Kernel log entries containing GID entry ref leak for dev followed by an increasing reference count value.
  • WARNING traces originating from release_gid_table or gid_table_release_one in drivers/infiniband/core/cache.c.
  • Unusual frequency of RDMA CM ID creation and destruction events from unprivileged processes.

Detection Strategies

  • Monitor dmesg and /var/log/kern.log for the specific GID leak warning signature emitted by the kernel.
  • Audit processes that open /dev/infiniband/rdma_cm and track their CM ID lifecycle operations through kernel tracing facilities such as ftrace or bpftrace.
  • Correlate elevated kernel warning rates with RDMA workload anomalies in centralized log aggregation.

Monitoring Recommendations

  • Forward kernel warnings from InfiniBand drivers to a centralized SIEM and alert on patterns matching GID entry ref leak.
  • Track per-process RDMA syscall frequency to identify abusive userspace patterns.
  • Establish baselines for RDMA CM activity on production hosts to detect deviation indicative of exploitation attempts.

How to Mitigate CVE-2025-71084

Immediate Actions Required

  • Apply the upstream Linux kernel patches referenced in the vendor advisories to all affected systems.
  • Identify hosts with InfiniBand or RoCE hardware where the ib_cm and rdma_cm modules are loaded.
  • Restrict access to /dev/infiniband/* device nodes to trusted users and groups only.
  • Prioritize patching on multi-tenant systems and shared HPC clusters where untrusted local users may exist.

Patch Information

The fix destroys the ah_attr after cancel_work_sync() completes, taking advantage of the fact that the destruction routine is safe to call twice. Patches have been backported across multiple stable branches and are available in the following commits: 3ba6d01, 57f3cb6, 5cb34bb, ab668a5, abf3839, c0acdee, and d5ce588.

Workarounds

  • Blacklist the rdma_cm and ib_cm kernel modules on systems that do not require RDMA functionality.
  • Tighten file permissions on /dev/infiniband/rdma_cm to limit exposure until patches are deployed.
  • Use Linux capability controls or namespaces to prevent untrusted workloads from accessing RDMA interfaces.
bash
# Verify RDMA module status and restrict access until patched
lsmod | grep -E 'rdma_cm|ib_cm'

# Temporarily blacklist if RDMA is not required
echo 'blacklist rdma_cm' | sudo tee /etc/modprobe.d/disable-rdma.conf
echo 'blacklist ib_cm' | sudo tee -a /etc/modprobe.d/disable-rdma.conf
sudo update-initramfs -u

# Restrict device node permissions
sudo chmod 600 /dev/infiniband/rdma_cm

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.