CVE-2025-71191 Overview
CVE-2025-71191 is a memory leak vulnerability in the Linux kernel's DMA engine subsystem, specifically affecting the at_hdmac driver. The vulnerability occurs in the of_dma_xlate() function where a device reference taken during DMA platform device lookup is not properly dropped when releasing channel resources. While a previous commit (3832b78b3ec2) attempted to fix this issue by adding put_device() calls in error paths, the reference leak persists on successful allocation paths.
Critical Impact
Repeated exploitation of this memory leak could lead to resource exhaustion and system instability, particularly in embedded systems using Atmel/Microchip DMA controllers.
Affected Products
- Linux kernel (at_hdmac DMA engine driver)
- Systems using Atmel/Microchip HDMAC controllers
- Embedded Linux platforms with Device Tree DMA bindings
Discovery Timeline
- 2026-01-31 - CVE CVE-2025-71191 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-71191
Vulnerability Analysis
This vulnerability is classified as a Memory Leak affecting the Linux kernel's DMA engine subsystem. The at_hdmac driver is used for Direct Memory Access operations on Atmel/Microchip platforms. When a DMA channel is requested through the Device Tree translation function of_dma_xlate(), the driver performs a platform device lookup that increments a reference counter on the device object. The root issue is that this reference is never decremented when the DMA channel resources are subsequently released.
The vulnerability's impact primarily affects system stability over time. Each allocation cycle that does not properly release the device reference contributes to gradual memory exhaustion. In long-running systems or applications that frequently allocate and release DMA channels, this can accumulate to significant memory consumption, potentially leading to denial of service conditions.
Root Cause
The root cause is an incomplete fix in the device reference handling within the at_hdmac driver. When the DMA translation function (of_dma_xlate()) looks up the DMA platform device, it obtains a reference that must be released when the channel is no longer needed. The prior fix (commit 3832b78b3ec2) addressed device reference leaks only in error paths but failed to account for the successful allocation path, leaving a code path where put_device() is never called during normal channel release operations.
Attack Vector
The attack vector for this vulnerability requires local access to the system with the ability to repeatedly allocate and release DMA channels. An attacker would need privileges sufficient to interact with the DMA subsystem, typically requiring kernel-level access or specific device permissions. The exploitation scenario involves:
- Repeatedly requesting DMA channels through the at_hdmac driver
- Each request creates a device reference that is never released
- Over time, memory resources become exhausted
- System stability degrades, potentially leading to denial of service
The vulnerability is exploited through normal driver operations rather than through malformed input, making it a resource exhaustion attack triggered by legitimate (but repeated) system calls.
Detection Methods for CVE-2025-71191
Indicators of Compromise
- Gradual increase in kernel memory usage over time without corresponding application memory growth
- System logs showing memory pressure warnings related to device references
- Kernel slab allocator showing increasing allocation counts for device structures
- Performance degradation in DMA operations on affected Atmel/Microchip platforms
Detection Strategies
- Monitor kernel memory statistics using /proc/meminfo and /proc/slabinfo for unusual growth patterns
- Track device reference counts using kernel debugging tools like ftrace or eBPF
- Implement watchdog monitoring for systems using at_hdmac driver to detect memory exhaustion trends
- Review system logs for OOM (Out of Memory) killer activations or memory allocation failures
Monitoring Recommendations
- Deploy memory monitoring solutions to track kernel memory usage trends on affected systems
- Set up alerts for sustained memory growth patterns that indicate potential reference leaks
- Use SentinelOne's kernel-level visibility to monitor DMA subsystem behavior and resource consumption
- Implement periodic system health checks on embedded platforms using the at_hdmac driver
How to Mitigate CVE-2025-71191
Immediate Actions Required
- Apply the latest kernel patches from the official Linux kernel stable branches
- Schedule system reboots during maintenance windows to clear accumulated leaked references
- Consider limiting DMA channel allocation frequency if patching is not immediately possible
- Monitor affected systems closely for signs of memory exhaustion
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that put_device() is properly called when releasing DMA channel resources, not just in error paths. Multiple stable kernel branches have received this fix:
- Kernel Git Commit 6a86cf2c09e1
- Kernel Git Commit 987c71671367
- Kernel Git Commit b9074b2d7a23
- Kernel Git Commit f3c23b7e9413
Workarounds
- Implement scheduled reboots on affected systems to periodically clear leaked device references
- Reduce DMA channel allocation/deallocation frequency in application code where possible
- Monitor memory usage and restart affected services before critical thresholds are reached
- Consider using alternative DMA drivers if available for the target hardware platform
# Check if your system is affected by verifying the at_hdmac driver is loaded
lsmod | grep at_hdmac
# Monitor kernel memory usage for signs of leaks
watch -n 60 'cat /proc/meminfo | grep -E "MemFree|Slab|SReclaimable"'
# Check kernel version to determine if patched
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
