Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71154

CVE-2025-71154: Linux Kernel Memory Leak Vulnerability

CVE-2025-71154 is a memory leak flaw in the Linux kernel's rtl8150 USB driver that occurs when usb_submit_urb() fails. This article covers the technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-71154 Overview

CVE-2025-71154 is a memory leak vulnerability in the Linux kernel's rtl8150 USB Ethernet driver. The flaw resides in the async_set_registers() function within drivers/net/usb/rtl8150.c. When usb_submit_urb() fails, the allocated async_req structure and USB Request Block (URB) are not freed. The completion callback async_set_reg_cb() normally frees these allocations, but it only runs when URB submission succeeds. Repeated submission failures progressively exhaust kernel memory. The issue affects multiple Linux kernel branches and has been resolved upstream. This weakness is classified as [CWE-401] Missing Release of Memory after Effective Lifetime.

Critical Impact

A local attacker with the ability to trigger repeated URB submission failures on an rtl8150-driven USB Ethernet adapter can exhaust kernel memory, leading to denial of service.

Affected Products

  • Linux kernel 3.10 and earlier release candidates (rc3 through rc7)
  • Linux kernel mainline through 6.19-rc3
  • Distributions shipping unpatched rtl8150 USB Ethernet driver

Discovery Timeline

  • 2026-01-23 - CVE-2025-71154 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2025-71154

Vulnerability Analysis

The rtl8150 driver supports Realtek RTL8150 USB-to-Ethernet adapters. The async_set_registers() routine performs asynchronous register writes by allocating an async_req structure and a URB, then handing them to the USB core via usb_submit_urb(). The driver relies on the completion callback async_set_reg_cb() to release these allocations after the URB completes.

When usb_submit_urb() returns an error, the callback is never invoked. Both the URB and the heap-allocated request structure remain referenced only by lost pointers in kernel slab memory. Each failed submission leaks a fixed-size allocation. Sustained failures, such as those triggered by surprise removal of the device, low-memory conditions, or malformed USB transactions, can accumulate kernel memory pressure and degrade system availability.

Root Cause

The defect is a classic missing cleanup on error path [CWE-401]. The function transfers ownership of allocations to the USB subsystem only on successful submission. The original implementation lacked the usb_free_urb() and kfree() calls required when usb_submit_urb() returns a non-zero error code. The upstream fix adds the missing deallocations along the error branch.

Attack Vector

Exploitation requires local access and the presence of an rtl8150-driven USB device, or the ability to attach one. An attacker with physical access can repeatedly induce submission failures by removing and reinserting the adapter or by issuing crafted control operations that fail at the USB layer. The flaw cannot be triggered remotely over the network, and it does not expose data confidentiality or integrity. The impact is limited to kernel memory exhaustion and resulting denial of service.

No public proof-of-concept exploit has been published. Refer to the upstream patches such as Kernel Git Commit 12cab11 and Kernel Git Commit 4bd4ea3 for the exact code changes.

Detection Methods for CVE-2025-71154

Indicators of Compromise

  • Steadily growing kmalloc-* slab counts in /proc/slabinfo correlated with rtl8150 device activity
  • Kernel log entries from the rtl8150 driver reporting failed register writes or USB submission errors
  • Sustained drops in MemAvailable on hosts using Realtek RTL8150 USB Ethernet adapters

Detection Strategies

  • Run kmemleak on test or staging kernels with CONFIG_DEBUG_KMEMLEAK=y and inspect /sys/kernel/debug/kmemleak for unreferenced allocations originating in async_set_registers
  • Audit installed kernel package versions against vendor advisories to identify hosts still running unpatched builds
  • Correlate USB device hotplug events with kernel slab growth using existing telemetry pipelines

Monitoring Recommendations

  • Track kernel memory usage trends on systems that expose USB ports to untrusted users or shared environments
  • Alert on repeated usb_submit_urb failures referencing the rtl8150 driver in dmesg or journald
  • Inventory endpoints with Realtek RTL8150 adapters to prioritize patch rollout

How to Mitigate CVE-2025-71154

Immediate Actions Required

  • Apply the upstream kernel patches referenced in the vendor advisories and rebuild or update affected kernels
  • Restrict physical and console access to systems running unpatched kernels with rtl8150 support
  • Where the driver is not required, blacklist the rtl8150 module to remove the attack surface

Patch Information

The fix was merged across stable branches. Apply the commit corresponding to your kernel series, including Kernel Git Commit 12cab11, Kernel Git Commit 151403e, Kernel Git Commit 2f96618, Kernel Git Commit 4bd4ea3, Kernel Git Commit 6492ad6, Kernel Git Commit a4e2442, and Kernel Git Commit db2244c. Track distribution security advisories and consume vendor-signed kernel updates when available.

Workarounds

  • Blacklist the rtl8150 module on systems that do not use Realtek RTL8150 USB Ethernet adapters
  • Disable or physically restrict USB ports on critical hosts to prevent untrusted devices from loading the driver
  • Schedule periodic reboots on long-running unpatched systems to reclaim leaked kernel memory until patching completes
bash
# Blacklist the rtl8150 driver until the patched kernel is deployed
echo "blacklist rtl8150" | sudo tee /etc/modprobe.d/blacklist-rtl8150.conf
sudo rmmod rtl8150 2>/dev/null || true
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.