Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71190

CVE-2025-71190: Linux Kernel Device Leak Vulnerability

CVE-2025-71190 is a device leak flaw in the Linux Kernel's bcm-sba-raid dmaengine driver that fails to drop mailbox device references during probe failures. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-71190 Overview

CVE-2025-71190 is a device reference leak vulnerability in the Linux kernel's dmaengine subsystem, specifically in the Broadcom SBA-RAID (bcm-sba-raid) driver. The driver fails to drop a reference taken when looking up the mailbox device during probe failures and on driver unbind. This results in a resource leak that can degrade system availability on affected hosts. The flaw requires local access with low privileges to trigger and primarily impacts availability rather than confidentiality or integrity. Multiple stable Linux kernel branches are affected, and fixes have been merged into the upstream tree.

Critical Impact

Local low-privileged users on systems using the Broadcom SBA-RAID DMA engine driver can trigger a kernel resource leak through repeated driver probe failures or unbind operations, leading to availability degradation.

Affected Products

  • Linux kernel from version 4.13 onward where the bcm-sba-raid driver is built and loaded
  • Linux kernel 6.19 release candidates rc1 through rc8
  • Multiple stable kernel branches receiving backported fixes

Discovery Timeline

  • 2026-01-31 - CVE-2025-71190 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71190

Vulnerability Analysis

The vulnerability resides in the bcm-sba-raid driver located under drivers/dma/bcm-sba-raid.c. The Broadcom SBA-RAID engine is a DMA offload engine used on Broadcom iProc SoCs to accelerate RAID parity computations. During driver probe, the code obtains a reference to a mailbox device used for command submission. The driver fails to release this reference when the probe fails partway through or when the driver is later unbound from its device. Each failed probe or unbind cycle leaks one device reference, which prevents proper teardown of the underlying device object and its associated resources.

This class of issue is categorized as a memory leak resulting from improper resource lifecycle management. The CWE classification is listed as NVD-CWE-noinfo.

Root Cause

The root cause is an unbalanced reference count on the mailbox device looked up during the bcm_sba_probe() path. Kernel device reference counting requires that every successful lookup be paired with a corresponding put operation on cleanup. The driver omits the matching put on error paths and in the remove handler, leaving the reference count permanently elevated.

Attack Vector

Exploitation requires local access to a system running an affected kernel with the bcm-sba-raid driver loaded against matching hardware. A user with sufficient privileges to bind and unbind drivers through sysfs, or to trigger probe failures, can repeatedly invoke the leaking code path. Sustained exploitation exhausts kernel resources tied to the leaked device references and contributes to denial-of-service conditions. The flaw is not remotely reachable and does not affect confidentiality or integrity of data.

No public proof-of-concept exploit has been published. See the upstream commits for technical details on the fix, including commit 4316e4c4fd2c and commit db6f1d6d3171.

Detection Methods for CVE-2025-71190

Indicators of Compromise

  • Repeated driver bind/unbind events for bcm-sba-raid recorded in kernel logs or audit trails on Broadcom iProc SoC platforms
  • Gradual growth of kernel slab usage tied to device objects without corresponding workload changes
  • Probe failure messages from the bcm-sba-raid driver appearing in dmesg followed by elevated reference counts on associated mailbox devices

Detection Strategies

  • Monitor dmesg and journalctl -k output for repeated bcm-sba-raid probe failure messages or unbind events on affected hardware
  • Audit kernel package versions across the fleet against the fixed commits referenced in the upstream advisory
  • Track unprivileged or low-privileged user activity that interacts with sysfs paths under /sys/bus/platform/drivers/bcm-sba-raid/ for bind and unbind operations

Monitoring Recommendations

  • Establish baselines for kernel memory consumption on systems using the Broadcom SBA-RAID engine and alert on sustained upward trends
  • Forward kernel logs to a centralized logging or SIEM platform and create rules for anomalous driver lifecycle activity
  • Include kernel version inventory in vulnerability management scans so unpatched hosts are surfaced automatically

How to Mitigate CVE-2025-71190

Immediate Actions Required

  • Identify systems running affected Linux kernel versions with the bcm-sba-raid driver compiled and loaded, focusing on Broadcom iProc SoC platforms
  • Apply the upstream stable kernel updates that include the reference drop fixes on probe failure and driver unbind
  • Restrict access to sysfs driver bind and unbind interfaces to administrators only and review which users hold CAP_SYS_ADMIN

Patch Information

Fixes have been merged into the upstream Linux kernel and backported to multiple stable branches. The relevant commits are available at git.kernel.org commit 2ed1a9de1f2d, commit 4316e4c4fd2c, commit 4730f12a192d, commit 7c3a46ebf15a, commit bc98e68adfef, commit c80ca7bdff15, and commit db6f1d6d3171. Administrators should consume these via their distribution's stable kernel update channel.

Workarounds

  • Unload and blacklist the bcm-sba-raid module on systems that do not require Broadcom SBA-RAID DMA offload capability
  • Limit local user access on affected systems and enforce least-privilege policies that prevent untrusted users from triggering driver probe or unbind cycles
  • Reboot systems that have accumulated significant leaked references to reclaim kernel memory while planning the patch rollout
bash
# Blacklist the bcm-sba-raid driver on systems that do not need it
echo "blacklist bcm_sba_raid" | sudo tee /etc/modprobe.d/blacklist-bcm-sba-raid.conf
sudo update-initramfs -u

# Verify the running kernel version against patched stable releases
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.