CVE-2025-71285 Overview
CVE-2025-71285 is a race condition vulnerability in the Linux kernel's net/qrtr (Qualcomm IPC Router) subsystem. The flaw involves the Modem Host Interface (MHI) stack's auto_queue feature for IPC Router (IPCR) downlink (DL) channels. The MHI stack automatically queues receive buffers for the DL channel, which creates a race between the MHI stack and client drivers during initialization.
When dl_callback executes before the client driver completes probing, the driver's internal structures may remain uninitialized. This results in a NULL pointer dereference in kernel space. The issue was reported on Qualcomm X1E80100 Compute Reference Design (CRD) machines, where it impacted the boot process.
Critical Impact
A NULL pointer dereference in kernel context can crash the system and prevent successful boot on affected Qualcomm-based hardware.
Affected Products
- Linux kernel net/qrtr subsystem with MHI auto_queue enabled for IPCR DL channels
- Qualcomm X1E80100 Compute Reference Design (CRD) machines
- Linux distributions shipping kernels prior to the upstream qrtr fix
Discovery Timeline
- 2026-05-06 - CVE-2025-71285 published to the National Vulnerability Database
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-71285
Vulnerability Analysis
The Linux kernel MHI stack provides an auto_queue feature that simplifies client driver design by automatically allocating and queuing receive buffers for the DL channel. While convenient, this feature creates a timing dependency between the MHI core and consumer drivers such as QRTR.
The dl_callback handler can fire before the QRTR client driver finishes probing. When the callback dereferences driver state that has not been initialized, the kernel encounters a NULL pointer and faults. Drivers historically tried to mitigate this by initializing internal structures before invoking mhi_prepare_for_transfer_autoqueue(). However, internal code paths could still call MHI queue APIs prior to that preparation step, reproducing the same fault.
Root Cause
The root cause is an ordering and initialization race between the MHI auto-queue mechanism and the QRTR driver probe sequence. The MHI stack assumes the client is ready to handle incoming buffers as soon as channels are prepared, but QRTR's structures may not yet exist. This pattern fits the [CWE-476] NULL pointer dereference and TOCTOU-style race condition class.
Attack Vector
This vulnerability manifests during normal device initialization on affected Qualcomm hardware rather than through a network-reachable attack surface. Triggering requires the specific timing conditions present during boot of MHI-enabled platforms using the QRTR transport. The reported impact is system instability and failed boots on Qualcomm X1E80100 CRD machines.
The upstream fix removes the auto_queue feature for IPCR DL channels entirely. The QRTR driver now manages RX buffers manually: queueing buffers based on the ring length during probe and recycling them in dl_callback after consumption. Controller drivers also drop the auto_queue flag.
No verified public exploit code exists for this issue. See the upstream commits for technical details: Linux Kernel Commit 51731792, Linux Kernel Commit 7bdff9b9, and Linux Kernel Commit 8c464e00.
Detection Methods for CVE-2025-71285
Indicators of Compromise
- Kernel oops or panic logs referencing qrtr, mhi, or dl_callback during early boot
- NULL pointer dereference traces in dmesg involving mhi_prepare_for_transfer_autoqueue
- Boot failures or hangs on Qualcomm X1E80100 CRD platforms
Detection Strategies
- Inventory Linux hosts running on Qualcomm MHI-capable hardware and identify those using QRTR over MHI
- Compare running kernel versions against the upstream stable trees that include the three referenced fix commits
- Review crash dumps and kdump collections for stack frames pointing to qrtr_mhi_callback or mhi_dl paths
Monitoring Recommendations
- Centralize kernel ring buffer logs from Qualcomm-based endpoints and alert on MHI or QRTR fault signatures
- Track patch level drift between deployed kernels and stable releases that contain the fix
- Monitor boot success telemetry on affected hardware fleets and investigate repeated early-boot crashes
How to Mitigate CVE-2025-71285
Immediate Actions Required
- Identify all Linux systems on Qualcomm MHI-capable platforms, prioritizing X1E80100 CRD devices
- Apply the upstream Linux kernel patches that drop auto_queue for IPCR DL channels
- Validate kernel rebuilds in a staging environment before fleet-wide rollout to confirm successful boot
Patch Information
The fix is delivered through three upstream Linux kernel commits in the stable tree: 51731792a25c, 7bdff9b9b0c6, and 8c464e00e075. These commits remove the MHI auto_queue feature for IPCR DL channels and refactor the QRTR driver to manage RX buffer allocation and recycling explicitly. Distribution maintainers should backport these commits to supported kernel branches.
Workarounds
- No supported workaround exists outside of applying the upstream commits, since the race is structural to the auto_queue design
- On affected Qualcomm hardware, avoid loading the QRTR-over-MHI transport until a patched kernel is available
- Where feasible, pin affected systems to a previously known-good kernel revision until the backport is deployed
# Verify kernel version and confirm the qrtr fix is present
uname -r
zcat /proc/config.gz | grep -E 'CONFIG_QRTR|CONFIG_MHI'
dmesg | grep -iE 'qrtr|mhi'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
