CVE-2025-71190 Overview
A device reference leak vulnerability has been identified in the Linux kernel's dmaengine bcm-sba-raid driver. The vulnerability occurs when the driver fails to properly drop the reference taken when looking up the mailbox device during the probe process. This reference leak can occur on both probe failures and during driver unbind operations.
Critical Impact
Memory resource leak in kernel space that could lead to system resource exhaustion over time, potentially affecting system stability on affected Linux systems using the bcm-sba-raid driver.
Affected Products
- Linux kernel with bcm-sba-raid dmaengine driver enabled
- Systems using Broadcom SBA RAID functionality
- Embedded systems and servers with affected kernel configurations
Discovery Timeline
- 2026-01-31 - CVE CVE-2025-71190 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-71190
Vulnerability Analysis
This vulnerability is classified as a Memory Leak affecting the Linux kernel's dmaengine subsystem, specifically the bcm-sba-raid driver. The issue stems from improper resource management during device initialization and cleanup phases.
When the bcm-sba-raid driver performs device probing, it looks up a mailbox device and acquires a reference to it. Under normal circumstances, this reference should be released when the probe fails or when the driver is unbound. However, the vulnerable code path fails to drop this reference in these error and cleanup scenarios.
The consequence is a kernel-level resource leak that persists until the system is rebooted. While the immediate impact of a single leaked reference may be negligible, repeated probe failures or driver load/unload cycles could accumulate leaked references, potentially leading to memory pressure and system degradation over time.
Root Cause
The root cause of this vulnerability is improper reference counting in the bcm-sba-raid driver's probe function. The driver acquires a device reference when looking up the mailbox device but fails to include proper cleanup code in all error paths and in the driver's unbind/remove function.
Reference counting is a critical memory management mechanism in the Linux kernel. When a reference is acquired (typically via functions like get_device() or of_find_device_by_node()), a corresponding release (via put_device()) must be called to properly free resources. Missing this release leads to orphaned references that prevent proper resource cleanup.
Attack Vector
The vulnerability is primarily a local stability concern rather than a directly exploitable security flaw. However, potential attack scenarios include:
A local attacker with privileges to load and unload kernel modules or trigger device probe operations could potentially cause resource exhaustion by repeatedly triggering the vulnerable code path. This could be achieved through:
- Manipulating device tree overlays or sysfs entries to trigger repeated probe/unbind cycles
- Exploiting conditions that cause probe failures to accumulate leaked references
- Using this as part of a larger denial-of-service attack chain targeting system stability
The vulnerability affects the kernel's memory management, making it a concern for systems with high uptime requirements or those running in resource-constrained environments.
Detection Methods for CVE-2025-71190
Indicators of Compromise
- Gradual increase in kernel memory usage without corresponding user-space activity
- Unusual device reference counts visible in /sys/bus/ entries
- Kernel log messages related to bcm-sba-raid probe failures
- Memory allocation failures in kernel space after extended uptime
Detection Strategies
- Monitor kernel memory statistics using /proc/meminfo and /proc/slabinfo for unexpected growth patterns
- Implement kernel tracing via ftrace or eBPF to monitor device reference operations in the dmaengine subsystem
- Review system logs for repeated bcm-sba-raid driver probe failures or unbind operations
- Use kernel debugging tools like kmemleak to detect unreleased memory references
Monitoring Recommendations
- Set up alerting for kernel memory threshold violations on affected systems
- Implement periodic system health checks that track device driver stability metrics
- Monitor for patterns of driver load/unload that could indicate exploitation attempts
- Deploy SentinelOne Singularity Platform to detect anomalous kernel behavior and memory usage patterns
How to Mitigate CVE-2025-71190
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for this vulnerability
- If updates cannot be applied immediately, avoid loading/unloading the bcm-sba-raid driver unnecessarily
- Monitor system memory usage on affected systems for signs of resource leakage
- Consider disabling the bcm-sba-raid driver if it is not required for system functionality
Patch Information
Multiple patches have been submitted to the Linux kernel stable tree to address this vulnerability. The fix ensures that the device reference acquired during probe is properly released on both probe failures and driver unbind operations.
The following kernel patches address this issue:
- Kernel Patch 2ed1a9de1f2d
- Kernel Patch 7c3a46ebf15a
- Kernel Patch c80ca7bdff15
- Kernel Patch db6f1d6d3171
Workarounds
- Blacklist the bcm-sba-raid module if it is not required for system functionality
- Reduce driver probe/unbind cycles by ensuring stable hardware configuration
- Implement scheduled system reboots for critical systems to clear accumulated resource leaks
- Monitor and limit kernel module loading operations on affected systems
# Configuration example
# Blacklist the bcm-sba-raid driver if not needed
echo "blacklist bcm_sba_raid" | sudo tee /etc/modprobe.d/bcm-sba-raid-blacklist.conf
sudo update-initramfs -u
# Verify the module is not loaded
lsmod | grep bcm_sba
# Check current kernel version and available updates
uname -r
apt list --upgradable | grep linux-image
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
