Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71147

CVE-2025-71147: Linux Kernel Memory Leak Vulnerability

CVE-2025-71147 is a memory leak flaw in the Linux Kernel's trusted keys subsystem affecting the tpm2_load_cmd function. This post covers the technical details, affected versions, impact, and mitigation steps.

Updated:

CVE-2025-71147 Overview

CVE-2025-71147 is a memory leak vulnerability [CWE-401] in the Linux kernel's trusted keys subsystem. The flaw resides in the tpm2_load_cmd function, which allocates a temporary blob indirectly via tpm2_key_decode but fails to free it on failure paths. Repeated triggering of these failure paths exhausts kernel memory and can lead to denial of service on the affected host.

The issue requires local access with low privileges and no user interaction. It does not expose data confidentiality or integrity but can degrade availability of the kernel.

Critical Impact

Local low-privileged users can exhaust kernel memory by repeatedly invoking failing TPM2 trusted key load operations, leading to denial of service.

Affected Products

  • Linux Kernel (multiple stable branches, see referenced commits)
  • Distributions shipping vulnerable kernels with CONFIG_TRUSTED_KEYS and TPM2 support
  • Systems using trusted keys backed by a TPM2 device

Discovery Timeline

  • 2026-01-23 - CVE-2025-71147 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2025-71147

Vulnerability Analysis

The Linux kernel exposes trusted keys backed by a Trusted Platform Module (TPM). When loading a TPM2-sealed key, the kernel calls tpm2_load_cmd, which internally invokes tpm2_key_decode to parse the ASN.1-encoded key material into a temporary blob buffer.

On successful paths the blob is consumed and released as expected. On failure paths inside tpm2_load_cmd, control returns to the caller without freeing the allocation produced by tpm2_key_decode. Each failed load operation therefore leaks a heap allocation in kernel memory.

The upstream fix wraps the blob pointer with a cleanup helper so the buffer is released automatically when it goes out of scope, regardless of the function's return path.

Root Cause

The root cause is missing release of dynamically allocated memory on error paths, classified as a missing release of memory after effective lifetime [CWE-401]. The original code lacked unified cleanup, leaving the indirectly-allocated blob unreferenced when error handling unwound the function.

Attack Vector

Exploitation requires local access and the ability to invoke the trusted keys interface, for example through the add_key or keyctl system calls with a TPM2-backed trusted key payload. A local user submits malformed or otherwise invalid key blobs that cause tpm2_load_cmd to take a failure path. Each invocation leaks memory inside the kernel. Sustained calls degrade system stability and can force the out-of-memory killer to terminate processes.

No proof-of-concept exploit is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

The vulnerability is described in prose only; see the referenced Kernel Git Commit Changeset for the exact patch.

Detection Methods for CVE-2025-71147

Indicators of Compromise

  • Steady growth of unaccounted kernel slab allocations on hosts that expose TPM2 trusted keys to untrusted users.
  • High-frequency invocations of add_key or keyctl system calls with trusted key type from non-administrative user contexts.
  • Out-of-memory events on systems where TPM2 trusted key loads are repeatedly failing in kernel logs.

Detection Strategies

  • Audit kernel version against the fixed commits listed in the upstream stable trees and flag hosts running unpatched kernels.
  • Monitor dmesg and audit logs for repeated TPM2 key load failures originating from the same UID or process.
  • Track /proc/slabinfo and /proc/meminfo for unexplained kernel memory growth correlated with trusted key activity.

Monitoring Recommendations

  • Enable auditd rules for the add_key, request_key, and keyctl syscalls and alert on high-volume use by non-root accounts.
  • Baseline kernel memory consumption per host and alert on sustained upward drift that does not align with workload changes.
  • Forward kernel and audit telemetry to a centralized analytics platform so trusted key abuse patterns can be correlated across hosts.

How to Mitigate CVE-2025-71147

Immediate Actions Required

  • Inventory Linux hosts running kernels that include the trusted keys TPM2 code path and identify those without the fix.
  • Apply the upstream stable patches as soon as vendor-rebuilt kernels are available, then reboot to load the fixed kernel.
  • Restrict local shell and container access on systems that handle sensitive TPM2-backed keys to reduce the attack surface.

Patch Information

The fix is available in multiple Linux stable trees. Relevant kernel commits include 19166de9, 3fd7df46, 62cd5d48, 9b015f29, 9e7c63c6, and af0689ca. Apply the corresponding distribution kernel update for your release.

Workarounds

  • Limit access to the trusted keys interface by restricting which users and containers can execute keyctl and submit trusted key payloads.
  • Disable or unload TPM2 trusted key usage on hosts where it is not required, removing the vulnerable code path from exposure.
  • Apply per-user memory and process limits with cgroups to constrain the impact of repeated failing load attempts.
bash
# Verify kernel version and trusted keys exposure
uname -r
grep -E 'CONFIG_TRUSTED_KEYS|CONFIG_TCG_TPM' /boot/config-$(uname -r)

# Audit trusted key syscalls (requires auditd)
auditctl -a always,exit -F arch=b64 -S add_key,keyctl,request_key -k trusted_keys

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.