CVE-2025-71092 Overview
A memory corruption vulnerability exists in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the Broadcom NetXtreme-E RoCE (RDMA over Converged Ethernet) driver. The vulnerability occurs in the bnxt_re_copy_err_stats() function where an out-of-bounds write condition can be triggered due to improper hardware statistics counter allocation boundaries.
The issue was introduced when commit ef56081d1864 added three new counters (BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS) and incorrectly positioned them after the BNXT_RE_OUT_OF_SEQ_ERR boundary marker. This boundary marker determines memory allocation size for hardware statistics on chip_gen_p5_p7 devices, resulting in writes beyond the allocated buffer when these counters are accessed.
Critical Impact
Local attackers with access to RDMA subsystem may trigger out-of-bounds memory writes, potentially leading to kernel memory corruption, denial of service, or privilege escalation.
Affected Products
- Linux kernel with RDMA/bnxt_re driver enabled
- Systems using Broadcom NetXtreme-E RoCE adapters
- chip_gen_p5_p7 class network devices with RDMA capabilities
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71092 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71092
Vulnerability Analysis
The vulnerability stems from a boundary marker mismatch in the hardware statistics counter enumeration within the bnxt_re RDMA driver. The BNXT_RE_OUT_OF_SEQ_ERR constant serves as a critical boundary that determines memory allocation sizes through BNXT_RE_NUM_STD_COUNTERS. When the new counters were placed after this boundary marker, the allocation logic continued using the original BNXT_RE_NUM_STD_COUNTERS value while the actual counter access extended beyond the allocated memory region.
This type of out-of-bounds write vulnerability in kernel space is particularly dangerous as it can corrupt adjacent kernel memory structures, potentially allowing attackers to manipulate kernel data or achieve code execution in ring 0 context.
Root Cause
The root cause is an ordering error in the counter enumeration. The three new counters (BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS) are applicable to generic hardware across all device generations, not exclusively to p5/p7 chipsets. However, they were incorrectly placed after the BNXT_RE_OUT_OF_SEQ_ERR boundary marker which defines the allocation boundary for hw_stats structures.
When the kernel allocates the hw_stats buffer, it uses BNXT_RE_NUM_STD_COUNTERS to determine the size. Since the new counters fall outside this count but are still accessed during statistics copying, the bnxt_re_copy_err_stats() function writes beyond the allocated buffer boundaries.
Attack Vector
The attack vector requires local access to a system with the vulnerable RDMA/bnxt_re driver loaded and a Broadcom NetXtreme-E network adapter present. An attacker would need to trigger statistics collection operations that invoke bnxt_re_copy_err_stats(), causing the out-of-bounds write to occur. This could potentially be achieved through:
- Querying RDMA hardware counters via standard interfaces
- Triggering network events that cause counter updates
- Manipulating RDMA connections to generate error conditions that update the affected counters
The vulnerability allows writes to kernel memory adjacent to the hw_stats buffer, which depending on memory layout could corrupt other kernel structures or function pointers.
Detection Methods for CVE-2025-71092
Indicators of Compromise
- Kernel panic or oops messages referencing bnxt_re_copy_err_stats or related RDMA functions
- Unexpected system crashes during RDMA operations on Broadcom NetXtreme-E adapters
- Memory corruption signatures in kernel logs related to slab allocator warnings
Detection Strategies
- Monitor kernel logs for out-of-bounds access warnings from KASAN (Kernel Address Sanitizer) if enabled
- Implement kernel-level integrity monitoring for unexpected modifications to RDMA driver memory regions
- Deploy runtime anomaly detection for unusual RDMA statistics query patterns
Monitoring Recommendations
- Enable KASAN or UBSAN in development/testing environments to catch memory corruption issues
- Monitor dmesg output for bnxt_re driver warnings or errors
- Track system stability metrics on hosts with Broadcom NetXtreme-E RDMA adapters
How to Mitigate CVE-2025-71092
Immediate Actions Required
- Apply the kernel patch from the upstream Linux kernel repository
- If patching is not immediately possible, consider disabling the bnxt_re RDMA driver if RoCE functionality is not required
- Restrict access to RDMA interfaces to trusted users only
Patch Information
The fix involves relocating the three affected counters (BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS) to positions before the BNXT_RE_OUT_OF_SEQ_ERR boundary marker. This ensures they are included in the generic counter set and properly accounted for in the hw_stats allocation.
Patches are available through the Linux kernel stable tree:
Workarounds
- Blacklist the bnxt_re kernel module if RDMA functionality is not required: add blacklist bnxt_re to /etc/modprobe.d/blacklist.conf
- Restrict network access to systems running the vulnerable driver to limit potential attack surface
- Apply kernel hardening options such as KASLR, SMAP, and SMEP to reduce exploitability
# Configuration example
# Disable bnxt_re RDMA driver as a temporary workaround
echo "blacklist bnxt_re" | sudo tee /etc/modprobe.d/bnxt_re-blacklist.conf
sudo modprobe -r bnxt_re
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
