CVE-2025-71186 Overview
CVE-2025-71186 is a memory leak vulnerability in the Linux kernel's STMicroelectronics STM32 DMA multiplexer (dmamux) driver. The dmaengine subsystem fails to drop a device reference taken when looking up the DMA mux platform device during route allocation. Each route allocation leaks a reference on the underlying struct device, gradually exhausting kernel resources on affected STM32-based systems. The flaw is categorized as a Missing Release of Resource after Effective Lifetime [CWE-401]. Local, authenticated users can trigger repeated allocations to degrade system availability over time.
Critical Impact
A local low-privileged user can repeatedly trigger DMA route allocations to leak kernel device references, leading to resource exhaustion and denial of service on STM32 platforms.
Affected Products
- Linux kernel versions from 4.15 onward containing the stm32-dmamux driver
- Linux kernel 6.19 release candidates rc1 through rc8
- Embedded systems using STMicroelectronics STM32 SoCs with DMA multiplexer support
Discovery Timeline
- 2026-01-31 - CVE-2025-71186 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2025-71186
Vulnerability Analysis
The vulnerability resides in the STM32 DMA multiplexer route allocation path within the dmaengine subsystem. When the driver allocates a DMA route, it performs a platform device lookup to locate the DMA mux device. This lookup increments the device's reference count through the kernel's driver model. The allocation function never releases that reference, even though holding it provides no protection — driver data can still be torn down independently of the reference held by the caller. Every successful route allocation therefore leaves behind one leaked struct device reference.
The impact is restricted to availability. The CWE-401 classification reflects missing release of a kernel-managed resource after its effective lifetime. While a single leak is negligible, attackers or buggy userspace clients that repeatedly request DMA channels can accumulate references until kernel object accounting is exhausted, preventing further allocations and destabilizing dependent peripherals.
Root Cause
The root cause is a missing put_device() call after the platform device lookup in the STM32 dmamux route allocation code. The maintainer note clarifies that retaining the reference offers no safety benefit, since driver data lifetimes are managed separately from device reference counts. The corrected behavior is to drop the reference immediately after the lookup completes.
Attack Vector
Exploitation requires local access with privileges sufficient to trigger DMA channel requests through device drivers that consume the STM32 DMA mux. Network access is not a viable vector. User interaction is not required. Repeated allocation and release cycles by a local process amplify the leak until resource starvation occurs.
The vulnerability manifests in the STM32 dmamux route allocation path. See the upstream kernel commits in the references for the exact source-level fix.
Detection Methods for CVE-2025-71186
Indicators of Compromise
- Gradual increase in kernel object reference counts associated with the stm32-dmamux platform device with no corresponding decrement
- DMA channel allocation failures or dmaengine error messages appearing in dmesg on STM32 hardware after extended uptime
- Userspace processes repeatedly opening and closing devices that request DMA channels on affected SoCs
Detection Strategies
- Audit kernel build configurations to identify systems running affected versions with CONFIG_STM32_DMAMUX enabled
- Compare running kernel commit hashes against the fixed commits (1a179ac0, 1dda2a32, 2fb10259, 3b42020e, 3ef52d31, 6393da54, dd6e4943) published on git.kernel.org
- Monitor /sys/kernel/debug/dmaengine and platform device sysfs nodes for anomalous reference count growth on long-running STM32 deployments
Monitoring Recommendations
- Track kernel version inventory across embedded STM32 fleets and flag hosts running pre-patch builds
- Alert on repeated dmaengine allocation failures in syslog forwarded from edge devices
- Correlate process behavior that issues high-frequency DMA channel requests with kernel resource counters
How to Mitigate CVE-2025-71186
Immediate Actions Required
- Apply the upstream stable kernel patches that introduce put_device() after the DMA mux platform device lookup
- Update affected STM32 embedded devices to a kernel build that includes one of the fixed commits referenced by git.kernel.org
- Restrict local access on STM32 systems to trusted users only until patches are deployed
Patch Information
The fix has been merged across multiple stable branches. Reference the seven upstream commits: 1a179ac, 1dda2a3, 2fb1025, 3b42020, 3ef52d3, 6393da5, and dd6e494. Distribution maintainers should backport the fix to long-term support branches that ship the STM32 dmamux driver.
Workarounds
- Limit which users and services can request DMA channels on STM32 systems by tightening device node permissions
- Schedule periodic reboots on long-running embedded devices that cannot be patched immediately to reset leaked references
- Disable CONFIG_STM32_DMAMUX in custom kernel builds where the driver is not required by the hardware platform
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

