Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71112

CVE-2025-71112: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71112 is a buffer overflow flaw in the Linux kernel's HNS3 network driver that can cause out-of-bounds memory access. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-71112 Overview

CVE-2025-71112 is an out-of-bounds memory access vulnerability in the Linux kernel's HNS3 (HiSilicon Network Subsystem 3) network driver. The vulnerability exists in the VLAN configuration handling code where a VLAN ID received from a Virtual Function (VF) via mailbox is used without proper validation. When processing VLAN configuration mailbox messages, the driver fails to validate that the VLAN ID falls within the valid range defined by VLAN_N_VID, potentially allowing an attacker to trigger out-of-bounds memory access.

Critical Impact

An attacker with access to a Virtual Function could send a malicious VLAN configuration mailbox message with an out-of-range VLAN ID, causing out-of-bounds memory access in the vlan_del_fail_bmap bitmap array. This could lead to kernel memory corruption, denial of service, or potentially privilege escalation.

Affected Products

  • Linux kernel with HNS3 network driver (net: hns3)
  • Systems using HiSilicon network adapters with SR-IOV enabled
  • Virtualized environments using HNS3 VF pass-through

Discovery Timeline

  • 2026-01-14 - CVE CVE-2025-71112 published to NVD
  • 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2025-71112

Vulnerability Analysis

The vulnerability resides in the HNS3 driver's handling of VLAN configuration messages received from Virtual Functions. In SR-IOV (Single Root I/O Virtualization) environments, VFs communicate with the Physical Function (PF) driver through a mailbox mechanism. When a VF sends a VLAN configuration request, the PF driver processes the VLAN ID without first validating that it falls within the acceptable range.

The vlan_del_fail_bmap bitmap is allocated with a size of BITS_TO_LONGS(VLAN_N_VID), which accommodates VLAN IDs from 0 to 4095 (as VLAN_N_VID is defined as 4096 in the IEEE 802.1Q standard). If a malicious or compromised VF sends a VLAN configuration message with a VLAN ID greater than or equal to 4096, the driver attempts to access memory beyond the allocated bitmap bounds.

Root Cause

The root cause is missing input validation on the VLAN ID parameter received from untrusted VF mailbox messages. The HNS3 driver trusted that VFs would only send valid VLAN IDs without implementing boundary checks. This violates the security principle that all input from less privileged components (such as VFs) should be validated before use. The fix adds proper validation to ensure the VLAN ID is less than VLAN_N_VID before using it to access the bitmap.

Attack Vector

The attack requires an adversary to have control over a Virtual Function associated with an HNS3 network adapter. In cloud and virtualized environments where SR-IOV is used for network performance optimization, a malicious VM tenant could potentially craft and send specially formed VLAN configuration mailbox messages to the PF driver running in the host kernel. By specifying a VLAN ID value of 4096 or greater, the attacker can cause the PF driver to perform out-of-bounds memory operations.

The vulnerability mechanism involves the following sequence:

  1. A Virtual Function sends a VLAN configuration mailbox message to the Physical Function
  2. The PF driver extracts the VLAN ID from the message without validation
  3. The driver uses the VLAN ID to index into the vlan_del_fail_bmap bitmap
  4. If the VLAN ID exceeds VLAN_N_VID, memory access occurs outside the bitmap bounds

For detailed technical information and the fix implementation, refer to the kernel git commit 95cca25.

Detection Methods for CVE-2025-71112

Indicators of Compromise

  • Unexpected kernel panics or crashes in systems with HNS3 network adapters
  • Kernel log messages indicating memory corruption or KASAN (Kernel Address Sanitizer) violations in HNS3 driver code
  • Unusual VLAN configuration activity from Virtual Functions

Detection Strategies

  • Monitor kernel logs for HNS3 driver errors or warnings related to VLAN processing
  • Enable KASAN in development/testing environments to detect out-of-bounds memory access
  • Implement monitoring for anomalous mailbox communication patterns between VFs and PFs
  • Use kernel tracing tools (ftrace, eBPF) to monitor VLAN configuration code paths in HNS3

Monitoring Recommendations

  • Enable kernel auditing for systems running HNS3 drivers in virtualized environments
  • Deploy endpoint detection and response (EDR) solutions capable of monitoring kernel-level activity
  • Monitor for unexpected kernel module behavior or memory access patterns
  • Implement alerting for SR-IOV configuration changes and VF activity

How to Mitigate CVE-2025-71112

Immediate Actions Required

  • Update the Linux kernel to a patched version containing the VLAN ID validation fix
  • If immediate patching is not possible, consider temporarily disabling SR-IOV functionality on affected HNS3 adapters
  • Review and restrict which VMs have access to SR-IOV VFs in multi-tenant environments
  • Monitor affected systems for signs of exploitation attempts

Patch Information

The Linux kernel maintainers have released patches that add proper VLAN ID validation before using the value to access the vlan_del_fail_bmap bitmap. Multiple commits have been published to address this vulnerability across different kernel branches:

Workarounds

  • Disable SR-IOV on HNS3 network adapters until patching is complete
  • Restrict VF assignment to trusted virtual machines only
  • Implement network segmentation to limit access to affected hypervisors
  • Use alternative network drivers or adapters that are not affected by this vulnerability
bash
# Disable SR-IOV on HNS3 adapter (replace ethX with actual interface)
echo 0 > /sys/class/net/ethX/device/sriov_numvfs

# Verify SR-IOV is disabled
cat /sys/class/net/ethX/device/sriov_numvfs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.