Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71092

CVE-2025-71092: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71092 is a buffer overflow vulnerability in the Linux kernel's RDMA/bnxt_re driver that causes out-of-bounds writes in hardware statistics. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-71092 Overview

A memory corruption vulnerability exists in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the Broadcom NetXtreme-E RoCE (RDMA over Converged Ethernet) driver. The vulnerability occurs in the bnxt_re_copy_err_stats() function where an out-of-bounds write condition can be triggered due to improper hardware statistics counter allocation boundaries.

The issue was introduced when commit ef56081d1864 added three new counters (BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS) and incorrectly positioned them after the BNXT_RE_OUT_OF_SEQ_ERR boundary marker. This boundary marker determines memory allocation size for hardware statistics on chip_gen_p5_p7 devices, resulting in writes beyond the allocated buffer when these counters are accessed.

Critical Impact

Local attackers with access to RDMA subsystem may trigger out-of-bounds memory writes, potentially leading to kernel memory corruption, denial of service, or privilege escalation.

Affected Products

  • Linux kernel with RDMA/bnxt_re driver enabled
  • Systems using Broadcom NetXtreme-E RoCE adapters
  • chip_gen_p5_p7 class network devices with RDMA capabilities

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-71092 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-71092

Vulnerability Analysis

The vulnerability stems from a boundary marker mismatch in the hardware statistics counter enumeration within the bnxt_re RDMA driver. The BNXT_RE_OUT_OF_SEQ_ERR constant serves as a critical boundary that determines memory allocation sizes through BNXT_RE_NUM_STD_COUNTERS. When the new counters were placed after this boundary marker, the allocation logic continued using the original BNXT_RE_NUM_STD_COUNTERS value while the actual counter access extended beyond the allocated memory region.

This type of out-of-bounds write vulnerability in kernel space is particularly dangerous as it can corrupt adjacent kernel memory structures, potentially allowing attackers to manipulate kernel data or achieve code execution in ring 0 context.

Root Cause

The root cause is an ordering error in the counter enumeration. The three new counters (BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS) are applicable to generic hardware across all device generations, not exclusively to p5/p7 chipsets. However, they were incorrectly placed after the BNXT_RE_OUT_OF_SEQ_ERR boundary marker which defines the allocation boundary for hw_stats structures.

When the kernel allocates the hw_stats buffer, it uses BNXT_RE_NUM_STD_COUNTERS to determine the size. Since the new counters fall outside this count but are still accessed during statistics copying, the bnxt_re_copy_err_stats() function writes beyond the allocated buffer boundaries.

Attack Vector

The attack vector requires local access to a system with the vulnerable RDMA/bnxt_re driver loaded and a Broadcom NetXtreme-E network adapter present. An attacker would need to trigger statistics collection operations that invoke bnxt_re_copy_err_stats(), causing the out-of-bounds write to occur. This could potentially be achieved through:

  • Querying RDMA hardware counters via standard interfaces
  • Triggering network events that cause counter updates
  • Manipulating RDMA connections to generate error conditions that update the affected counters

The vulnerability allows writes to kernel memory adjacent to the hw_stats buffer, which depending on memory layout could corrupt other kernel structures or function pointers.

Detection Methods for CVE-2025-71092

Indicators of Compromise

  • Kernel panic or oops messages referencing bnxt_re_copy_err_stats or related RDMA functions
  • Unexpected system crashes during RDMA operations on Broadcom NetXtreme-E adapters
  • Memory corruption signatures in kernel logs related to slab allocator warnings

Detection Strategies

  • Monitor kernel logs for out-of-bounds access warnings from KASAN (Kernel Address Sanitizer) if enabled
  • Implement kernel-level integrity monitoring for unexpected modifications to RDMA driver memory regions
  • Deploy runtime anomaly detection for unusual RDMA statistics query patterns

Monitoring Recommendations

  • Enable KASAN or UBSAN in development/testing environments to catch memory corruption issues
  • Monitor dmesg output for bnxt_re driver warnings or errors
  • Track system stability metrics on hosts with Broadcom NetXtreme-E RDMA adapters

How to Mitigate CVE-2025-71092

Immediate Actions Required

  • Apply the kernel patch from the upstream Linux kernel repository
  • If patching is not immediately possible, consider disabling the bnxt_re RDMA driver if RoCE functionality is not required
  • Restrict access to RDMA interfaces to trusted users only

Patch Information

The fix involves relocating the three affected counters (BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS) to positions before the BNXT_RE_OUT_OF_SEQ_ERR boundary marker. This ensures they are included in the generic counter set and properly accounted for in the hw_stats allocation.

Patches are available through the Linux kernel stable tree:

Workarounds

  • Blacklist the bnxt_re kernel module if RDMA functionality is not required: add blacklist bnxt_re to /etc/modprobe.d/blacklist.conf
  • Restrict network access to systems running the vulnerable driver to limit potential attack surface
  • Apply kernel hardening options such as KASLR, SMAP, and SMEP to reduce exploitability
bash
# Configuration example
# Disable bnxt_re RDMA driver as a temporary workaround
echo "blacklist bnxt_re" | sudo tee /etc/modprobe.d/bnxt_re-blacklist.conf
sudo modprobe -r bnxt_re

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.