Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71191

CVE-2025-71191: Linux Kernel Privilege Escalation Flaw

CVE-2025-71191 is a privilege escalation vulnerability in the Linux Kernel dmaengine component that causes device reference leaks. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2025-71191 Overview

CVE-2025-71191 is a device reference leak in the Linux kernel's at_hdmac DMA engine driver. The flaw resides in the of_dma_xlate() code path used by the Atmel HDMAC (High-speed DMA Controller) driver. The driver takes a reference on the DMA platform device during channel lookup but fails to drop that reference when releasing channel resources. Repeated allocation and release of DMA channels causes the device reference count to climb indefinitely, exhausting kernel resources and impairing system availability. A prior fix (commit 3832b78b3ec2) closed the leak on error paths only, leaving the successful allocation path vulnerable.

Critical Impact

A local authenticated user can trigger repeated DMA channel allocations to leak device references in the kernel, leading to resource exhaustion and denial of service on affected Linux systems.

Affected Products

  • Linux kernel versions containing the at_hdmac DMA engine driver prior to the fix
  • Linux kernel 6.19 release candidates rc1 through rc8
  • Linux kernel 3.10 and later branches that include the original at_hdmacof_dma_xlate() implementation

Discovery Timeline

  • 2026-01-31 - CVE-2025-71191 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71191

Vulnerability Analysis

The vulnerability is a kernel-level memory and resource leak in the Atmel HDMAC dmaengine driver located at drivers/dma/at_hdmac.c. When a consumer device requests a DMA channel via the Device Tree binding, the kernel calls of_dma_xlate() to resolve the DMA controller. That helper invokes a lookup which takes a reference on the underlying platform struct device to keep it alive while the channel is in use.

The driver correctly acquired the reference during allocation but did not call put_device() on the release path. A previous fix labeled 3832b78b3ec2 ("dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()") addressed two error branches but missed the success path entirely. Each successful channel allocation therefore leaked one device reference, which over time prevents teardown of the platform device and consumes kernel memory.

The issue is classified under [CWE-noinfo] by NVD. The impact is restricted to availability — confidentiality and integrity are unaffected.

Root Cause

The root cause is an unbalanced reference count between of_dma_xlate() acquisition and the channel release callback in at_hdmac. The reference acquired through the DMA platform device lookup was never released when the consumer freed the channel, violating the standard kernel reference-counting contract.

Attack Vector

Exploitation requires local access with privileges sufficient to open a device that requests DMA channels backed by the at_hdmac driver. An attacker repeatedly opens and closes such a device, forcing the kernel to allocate and release DMA channels. Each cycle leaks a reference, gradually exhausting kernel resources and preventing clean device teardown. No user interaction is required and the attack complexity is low. The vulnerability does not enable code execution or data disclosure.

No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.008%.

Detection Methods for CVE-2025-71191

Indicators of Compromise

  • Continuously increasing kobject reference counts on Atmel DMA platform devices visible under /sys/devices/
  • Kernel memory growth attributable to dmaengine allocations without corresponding frees in slabinfo
  • Inability to unbind or remove the at_hdmac platform driver after sustained DMA usage

Detection Strategies

  • Audit running kernel versions against the fixed commits 48b2d7f, 49d964c, 4c67b4f, 6a86cf2, 987c71, b9074b2, and f3c23b7 from the upstream stable tree
  • Monitor process behavior on Atmel SoC platforms for repeated open/close cycles on DMA-backed character or block devices
  • Track kmemleak reports referencing at_dma_xlate or of_dma_xlate call stacks on test and staging systems

Monitoring Recommendations

  • Collect kernel logs and slabtop output centrally to identify slow leaks on long-running embedded Linux deployments
  • Alert on unexpected restarts of services that rely on Atmel DMA peripherals, which can indicate cumulative resource exhaustion
  • Baseline normal DMA channel allocation rates and flag sustained anomalies originating from a single user or process

How to Mitigate CVE-2025-71191

Immediate Actions Required

  • Apply the upstream Linux kernel stable patches that introduce the missing put_device() call in the at_hdmac channel release path
  • Inventory embedded Linux systems built on Atmel/Microchip SoCs that load the at_hdmac driver and prioritize them for patching
  • Restrict local access to devices that expose at_hdmac-backed DMA channels to trusted users only

Patch Information

The fix is available in the upstream Linux stable tree. Refer to the following commits: Kernel Git Commit 48b2d7f, Kernel Git Commit 49d964c, Kernel Git Commit 4c67b4f, Kernel Git Commit 6a86cf2, Kernel Git Commit 987c71, Kernel Git Commit b9074b2, and Kernel Git Commit f3c23b7. Distribution maintainers should backport the change to supported kernel branches.

Workarounds

  • Unload the at_hdmac module on systems that do not require Atmel HDMAC functionality using modprobe -r at_hdmac
  • Limit access to user-facing devices that internally request DMA channels through restrictive udev rules and filesystem permissions
  • Schedule periodic reboots on long-running embedded systems where patching is delayed to reset accumulated reference counts
bash
# Verify whether the at_hdmac driver is loaded and restrict access
lsmod | grep at_hdmac
sudo modprobe -r at_hdmac   # only if the driver is not required
# Confirm kernel version after patching
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.