CVE-2025-71157 Overview
A reference counting vulnerability has been identified in the Linux kernel's RDMA (Remote Direct Memory Access) core subsystem. The issue exists in the ib_del_sub_device_and_put() function, which fails to properly release a device reference before returning an -EOPNOTSUPP error. This flaw was introduced when nldev_deldev() was implemented (commit 060c642b2ab8) to add support for adding/deleting sub IB devices through netlink. The function ib_device_get_by_index() grabs a reference to the device, but this reference is not dropped when the error path is taken, leading to a reference count leak.
Critical Impact
Memory leak in the Linux kernel RDMA subsystem could lead to resource exhaustion and potential denial of service conditions on systems utilizing RDMA/InfiniBand functionality.
Affected Products
- Linux kernel with RDMA/InfiniBand subsystem enabled
- Systems utilizing RDMA netlink device management functionality
- Kernel versions containing commit 060c642b2ab8 but missing the fix
Discovery Timeline
- 2026-01-23 - CVE CVE-2025-71157 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-71157
Vulnerability Analysis
This vulnerability represents a Memory Leak issue within the Linux kernel's RDMA core subsystem. The root of the problem lies in improper reference counting management within the ib_del_sub_device_and_put() function. When the nldev_deldev() function is called to delete a sub IB device through netlink, it first obtains a reference to the target device using ib_device_get_by_index(). However, when ib_del_sub_device_and_put() encounters a condition that requires returning an -EOPNOTSUPP error, the previously acquired reference is not released before the function returns.
This creates a reference count leak where the kernel believes the device is still in use even when it should not be. Over time, repeated triggering of this condition could lead to accumulated memory leaks and resource exhaustion. The vulnerability affects systems running the Linux kernel with RDMA functionality enabled, particularly those utilizing netlink-based device management for InfiniBand sub-devices.
Root Cause
The vulnerability stems from an incomplete error handling path in the ib_del_sub_device_and_put() function. When commit 060c642b2ab8 introduced netlink support for managing sub IB devices, the reference obtained via ib_device_get_by_index() was not being properly released in all code paths. Specifically, when the function determines that the operation is not supported and prepares to return -EOPNOTSUPP, it fails to call the corresponding reference drop function, leaving the device reference artificially elevated.
Attack Vector
The attack vector for this vulnerability requires local access to a system with RDMA subsystem enabled. An attacker with the ability to invoke netlink operations for RDMA device management could potentially trigger the vulnerable code path repeatedly, causing a gradual accumulation of unreleased references. This could eventually exhaust kernel memory resources or prevent legitimate device cleanup operations, potentially leading to denial of service conditions. The vulnerability requires elevated privileges to trigger netlink RDMA operations, limiting the scope of potential exploitation.
Detection Methods for CVE-2025-71157
Indicators of Compromise
- Unexplained growth in kernel memory usage over time on systems with RDMA enabled
- RDMA device reference counts that do not decrease as expected during device deletion operations
- Kernel log messages indicating device reference count anomalies in the RDMA subsystem
- System instability or memory pressure warnings on InfiniBand-enabled systems
Detection Strategies
- Monitor kernel memory allocation patterns for gradual increases in RDMA-related structures
- Implement kernel tracing on ib_device_get_by_index() and reference release functions to detect imbalances
- Review system logs for -EOPNOTSUPP errors from RDMA netlink operations
- Use kernel debugging tools to track device reference counts in the RDMA subsystem
Monitoring Recommendations
- Enable RDMA subsystem logging and monitor for unusual device management patterns
- Implement memory monitoring alerts for systems utilizing InfiniBand functionality
- Track kernel object reference counts using appropriate debugging facilities
- Regularly audit RDMA device state and reference counts on affected systems
How to Mitigate CVE-2025-71157
Immediate Actions Required
- Apply the kernel patches referenced in the security commits immediately
- Prioritize patching systems actively using RDMA/InfiniBand functionality
- Monitor affected systems for signs of memory leaks or resource exhaustion
- Consider restricting netlink RDMA device management access to essential administrators
Patch Information
The Linux kernel development team has released fixes for this vulnerability. The patches ensure that the device reference is properly dropped in all code paths within ib_del_sub_device_and_put(), including when returning the -EOPNOTSUPP error.
Patches are available in the following commits:
Workarounds
- Disable RDMA netlink device management functionality if not required for operations
- Restrict access to netlink RDMA operations to only trusted administrators
- Implement periodic system reboots on affected systems until patches can be applied
- Monitor and alert on memory pressure conditions to detect potential exploitation
# Check if RDMA modules are loaded
lsmod | grep rdma
lsmod | grep ib_core
# Review RDMA device status
rdma dev show
# Monitor kernel memory for RDMA-related growth
cat /proc/meminfo | grep -i slab
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
