The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71096

CVE-2025-71096: Linux Kernel Information Disclosure Flaw

CVE-2025-71096 is an information disclosure vulnerability in the Linux kernel RDMA core that allows uninitialized memory reads. This article covers the technical details, affected systems, security impact, and mitigation steps.

Updated: January 22, 2026

CVE-2025-71096 Overview

A vulnerability has been identified in the Linux kernel's RDMA (Remote Direct Memory Access) core subsystem. The flaw exists in the handling of netlink responses for RDMA_NL_LS_OP_IP_RESOLVE operations, where the LS_NLA_TYPE_DGID attribute presence is not properly validated. When userspace fails to provide the required DGID attribute to a kernel-initiated query, the system reads uninitialized memory from the stack, leading to potential information disclosure or system instability.

Critical Impact

Userspace-triggered uninitialized memory read in RDMA netlink handling can expose sensitive kernel stack data and potentially cause system crashes.

Affected Products

  • Linux Kernel (RDMA/core subsystem)
  • Systems utilizing InfiniBand RDMA functionality
  • Linux distributions with RDMA kernel modules enabled

Discovery Timeline

  • January 13, 2026 - CVE-2025-71096 published to NVD
  • January 13, 2026 - Last updated in NVD database

Technical Details for CVE-2025-71096

Vulnerability Analysis

This vulnerability is classified as an Uninitialized Memory Use issue affecting the Linux kernel's RDMA core netlink handling. The flaw occurs in the ib_nl_handle_ip_res_resp function within drivers/infiniband/core/addr.c, where the kernel processes netlink responses for IP address resolution operations.

The root problem stems from improper validation of the LS_NLA_TYPE_DGID netlink attribute. When processing RDMA_NL_LS_OP_IP_RESOLVE responses, the kernel expects this attribute to always be present. However, the original implementation used a for-loop to search for the attribute without properly initializing the search result, allowing malformed userspace responses to trigger reads from uninitialized stack memory.

The KMSAN (Kernel Memory Sanitizer) bug report reveals the uninitialized value propagates through hex_byte_pack and ip6_string functions in the kernel's vsprintf implementation, ultimately reaching the printk subsystem when attempting to format IPv6 addresses for logging.

Root Cause

The vulnerability originates from inadequate netlink attribute parsing in the RDMA core subsystem. The original code used a manual for-loop to search for the LS_NLA_TYPE_DGID attribute within the netlink response, but failed to properly handle the case where the attribute was missing entirely. This resulted in the use of an uninitialized nlattrs array element when userspace provided a malformed response lacking the mandatory DGID attribute.

The fix replaces the manual search loop with the proper nla_parse_deprecated() API call, which correctly fills the nlattrs array and allows direct indexing to retrieve the DGID data. The corrected code now explicitly fails if the required attribute is NULL, preventing the uninitialized read condition.

Attack Vector

An attacker with local access and the ability to send netlink messages can craft malicious responses to kernel-initiated RDMA_NL_LS_OP_IP_RESOLVE queries. By omitting the required LS_NLA_TYPE_DGID attribute from the response, the attacker can trigger the kernel to read uninitialized stack memory.

The attack path follows the netlink message flow from userspace through netlink_sendmsg → netlink_unicast → rdma_nl_rcv → ib_nl_handle_ip_res_resp, where the uninitialized read occurs. The exposed stack data may contain sensitive kernel pointers or other privileged information that could aid further exploitation attempts.

Detection Methods for CVE-2025-71096

Indicators of Compromise

  • KMSAN warnings in kernel logs referencing uninit-value in hex_byte_pack or ip6_string functions
  • Unusual kernel panics or crashes originating from RDMA core or vsprintf subsystems
  • Anomalous netlink traffic patterns targeting RDMA subsystem operations
  • System instability when RDMA/InfiniBand services are in use

Detection Strategies

  • Enable KMSAN (Kernel Memory Sanitizer) in development or testing environments to detect uninitialized memory access
  • Monitor dmesg output for BUG reports related to uninit-value in the RDMA subsystem
  • Implement audit logging for netlink socket operations, particularly those targeting the RDMA netlink family
  • Deploy kernel integrity monitoring to detect exploitation attempts targeting memory disclosure vulnerabilities

Monitoring Recommendations

  • Configure syslog alerting for KMSAN-related kernel warnings referencing drivers/infiniband/core/addr.c
  • Monitor for unexpected netlink traffic to the RDMA netlink family from unprivileged processes
  • Implement behavioral monitoring for processes accessing RDMA subsystem interfaces
  • Track kernel version and patch status across affected systems to ensure remediation coverage

How to Mitigate CVE-2025-71096

Immediate Actions Required

  • Update the Linux kernel to a patched version containing the security fix
  • Review systems with InfiniBand or RDMA functionality enabled for potential exposure
  • Restrict netlink socket access to trusted processes where operationally feasible
  • Consider disabling RDMA functionality on systems where it is not required

Patch Information

The kernel development team has released patches that correct the netlink attribute parsing logic. The fix properly utilizes nla_parse_deprecated() to populate the nlattrs array and directly indexes the array to retrieve DGID data, failing gracefully when the required attribute is absent.

Multiple patch commits are available in the stable kernel trees:

  • Kernel Git Commit 0b948af
  • Kernel Git Commit 4553263
  • Kernel Git Commit 9d85524
  • Kernel Git Commit a7b8e87
  • Kernel Git Commit acadd40

Workarounds

  • Disable the RDMA/InfiniBand kernel modules if not required for production workloads using modprobe -r commands
  • Restrict access to netlink sockets using security policies or namespace isolation
  • Implement network segmentation to limit exposure of systems running RDMA services
  • Apply kernel hardening options such as CONFIG_INIT_STACK_ALL to mitigate uninitialized memory access risks
bash
# Disable RDMA kernel modules if not needed
modprobe -r rdma_cm
modprobe -r ib_core

# Blacklist RDMA modules to prevent automatic loading
echo "blacklist ib_core" >> /etc/modprobe.d/rdma-blacklist.conf
echo "blacklist rdma_cm" >> /etc/modprobe.d/rdma-blacklist.conf

# Verify modules are unloaded
lsmod | grep -E "(ib_core|rdma)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit 0b948af
  • Kernel Git Commit 4553263
  • Kernel Git Commit 9d85524
  • Kernel Git Commit a7b8e87
  • Kernel Git Commit acadd40
  • Related CVEs
  • CVE-2026-31428: Linux Kernel Information Disclosure Flaw
  • CVE-2026-23430: Linux Kernel Memory Leak Vulnerability
  • CVE-2026-23465: Linux Kernel Btrfs Logging Vulnerability
  • CVE-2026-23421: Linux Kernel Information Disclosure Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English