CVE-2025-71147 Overview
CVE-2025-71147 is a memory leak vulnerability in the Linux kernel's trusted key subsystem. The vulnerability exists in the tpm2_load_cmd function, which allocates a temporary blob indirectly via tpm2_key_decode but fails to free this memory in failure paths. This oversight can lead to gradual memory exhaustion on systems utilizing TPM2 trusted keys.
Critical Impact
Systems using TPM2-based trusted keys may experience memory exhaustion over time due to unreleased memory allocations during failed key loading operations.
Affected Products
- Linux Kernel (multiple versions with TPM2 trusted key support)
- Systems utilizing TPM2-based trusted key functionality
- Linux distributions shipping affected kernel versions
Discovery Timeline
- 2026-01-23 - CVE CVE-2025-71147 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-71147
Vulnerability Analysis
This vulnerability is a classic memory leak in kernel code related to TPM2 trusted key handling. The tpm2_load_cmd function is responsible for loading trusted keys via TPM2. During this process, it calls tpm2_key_decode which allocates a temporary blob for key data processing. However, when certain error conditions occur during the key loading operation, the allocated memory is not properly deallocated before the function returns.
Memory leaks in kernel space are particularly concerning because kernel memory is a finite resource that cannot be paged to disk. Repeated triggering of this vulnerability—whether intentionally by an attacker or inadvertently through normal operations encountering errors—can gradually consume available kernel memory. This could lead to system instability, denial of service conditions, or other unpredictable behavior when the system runs low on memory.
Root Cause
The root cause is missing memory deallocation in error handling paths within the tpm2_load_cmd function. When memory is allocated indirectly through tpm2_key_decode, proper cleanup must occur regardless of whether the operation succeeds or fails. The fix addresses this by wrapping the blob allocation with a cleanup helper that ensures proper memory release in all code paths.
Attack Vector
The attack vector for this vulnerability is primarily local. An attacker with the ability to trigger TPM2 trusted key loading operations that result in failures could repeatedly invoke this code path to gradually exhaust kernel memory. This could be accomplished by a local user with appropriate permissions to interact with the kernel's keyring subsystem or through applications that utilize TPM2 trusted keys.
The vulnerability mechanism involves:
- A call to tpm2_load_cmd is made to load a trusted key
- The function internally calls tpm2_key_decode, which allocates a temporary memory blob
- If an error occurs after this allocation but before normal completion, the error path returns without freeing the blob
- The memory remains allocated but unreferenced, constituting a leak
- Repeated occurrences accumulate leaked memory over time
Detection Methods for CVE-2025-71147
Indicators of Compromise
- Gradual increase in kernel memory usage without corresponding user-space memory growth
- System logs indicating memory pressure or allocation failures in kernel subsystems
- Unusual frequency of TPM2 key loading failures in system logs
- Memory exhaustion symptoms on systems with TPM2 trusted key usage
Detection Strategies
- Monitor kernel memory usage trends over time using tools like /proc/meminfo or system monitoring solutions
- Enable kernel memory leak detection tools such as kmemleak during testing and development
- Review system logs for TPM-related errors that may indicate repeated triggering of the vulnerable code path
- Implement memory usage alerting thresholds to detect gradual resource exhaustion
Monitoring Recommendations
- Configure system monitoring to alert on abnormal kernel memory consumption patterns
- Implement periodic kernel memory auditing on systems utilizing TPM2 trusted keys
- Enable detailed logging for TPM2 subsystem operations to correlate with memory usage anomalies
- Use SentinelOne's kernel-level monitoring capabilities to detect memory exhaustion indicators
How to Mitigate CVE-2025-71147
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the memory leak fix
- Monitor affected systems for signs of memory exhaustion while awaiting patch deployment
- Review and limit access to TPM2 trusted key operations to reduce potential attack surface
- Prioritize patching on systems with heavy TPM2 trusted key usage
Patch Information
The vulnerability has been addressed in the Linux kernel through multiple commits across various stable branches. The fix wraps the blob allocation with a cleanup helper to ensure proper memory release in all code paths. Patches are available through the following kernel git commits:
- Kernel Git Commit 19166de
- Kernel Git Commit 3fd7df4
- Kernel Git Commit 62cd5d4
- Kernel Git Commit 9b015f2
- Kernel Git Commit 9e7c63c
- Kernel Git Commit af0689c
Workarounds
- If patching is not immediately possible, limit access to keyring operations to trusted users and processes
- Implement scheduled system reboots to clear accumulated leaked memory as a temporary measure
- Reduce reliance on TPM2 trusted keys where alternative mechanisms are available
- Monitor and alert on memory usage to detect accumulation before it causes system instability
# Check kernel version for patch status
uname -r
# Monitor kernel memory usage
cat /proc/meminfo | grep -E "MemTotal|MemFree|Slab|SUnreclaim"
# Check for kmemleak availability (if enabled in kernel)
cat /sys/kernel/debug/kmemleak 2>/dev/null || echo "kmemleak not available"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
