Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71287

CVE-2025-71287: Linux Kernel MTK-SMI Device Leak Flaw

CVE-2025-71287 is a device leak vulnerability in the Linux kernel's MTK-SMI memory driver affecting reference handling during probe operations. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71287 Overview

CVE-2025-71287 is a Linux kernel vulnerability in the MediaTek Smart Multimedia Interface (SMI) memory driver (mtk-smi). The flaw causes a device reference leak in the local arbiter (larb) probe path. The driver fails to drop the reference taken when looking up the SMI device after late probe failures, including probe deferral, and on driver unbind.

The issue is a resource management defect rather than a memory-safety primitive. Repeated probe and unbind cycles can exhaust device references and prevent clean module teardown on affected MediaTek platforms.

Critical Impact

The reference leak prevents proper release of the SMI device structure, leading to resource exhaustion and potential denial-of-service on systems that exercise probe deferral or driver rebinding paths.

Affected Products

  • Linux kernel containing the drivers/memory/mtk-smi.c larb probe code
  • MediaTek platforms relying on the SMI/larb memory subsystem
  • Stable kernel branches receiving the backported fix series

Discovery Timeline

  • 2026-05-06 - CVE-2025-71287 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2025-71287

Vulnerability Analysis

The MediaTek SMI driver coordinates memory access for multimedia subsystems. During larb (local arbiter) probe, the driver looks up the parent SMI common device and takes a reference on it. The defect is that this reference is not dropped on late probe failure paths, such as -EPROBE_DEFER returns, nor on driver unbind through the remove path.

Each failed probe attempt or rebind cycle increments the device reference count without a matching decrement. Over time the SMI device cannot be released, and associated resources stay pinned. This is a classic device reference counting bug in a kernel platform driver.

Root Cause

The root cause is missing put_device() calls on the SMI device pointer obtained during larb probe. The lookup code took a reference that the success path consumed correctly, but the error unwind and the unbind path did not release it. The committed patches add the matching reference drops so that the count returns to zero on failure and removal.

Attack Vector

This is a local resource management issue with no remote vector. Triggering the leak requires conditions that drive the larb driver through probe failure or unbind, such as deferred probe ordering, hot-unbind via sysfs, or module reload sequences. The realistic impact is denial-of-service through resource exhaustion on long-running MediaTek systems, not privilege escalation or memory corruption.

No public exploit code is available, and the EPSS score reflects negligible exploitation probability. Verified fixes are distributed across stable branches in commits 04057b86fdac, 1288bb394d46, 1f23a48ff2b8, 357e16a7fc9c, 9dae65913b32, b9eccd59697f, and f69535b77fa0.

Detection Methods for CVE-2025-71287

Indicators of Compromise

  • Persistent references to the SMI platform device after mtk-smi driver unbind, visible in /sys/bus/platform/devices/.
  • Repeated EPROBE_DEFER log entries from the larb driver followed by failure to release the SMI common device.
  • Growth in kernel object counts tied to MediaTek SMI devices across module reload cycles.

Detection Strategies

  • Audit running kernel versions on MediaTek hardware against the patched commit hashes listed in the stable tree references.
  • Use kmemleak and refcount debug instrumentation in test builds to confirm absence of leaked references in the larb probe path.
  • Correlate dmesg output for mtk-smi probe failures with platform device lifecycle events.

Monitoring Recommendations

  • Track kernel package versions across MediaTek-based fleets and flag hosts running pre-patch builds.
  • Monitor for unexpected driver unbind or rebind activity on production systems, which can amplify the leak.
  • Include kernel CVE feeds in vulnerability management to capture additional mtk-smi regressions as they appear.

How to Mitigate CVE-2025-71287

Immediate Actions Required

  • Identify all Linux systems running MediaTek SoCs that load the mtk-smi driver.
  • Apply the upstream stable kernel update containing the larb probe reference-drop fix.
  • Avoid manual driver unbind and rebind cycles on mtk-smi until patched kernels are deployed.

Patch Information

The fix is committed across multiple stable branches. Reference the canonical commits in the kernel tree: Kernel Patch 04057b86fdac, Kernel Patch 1288bb394d46, Kernel Patch 1f23a48ff2b8, Kernel Patch 357e16a7fc9c, Kernel Patch 9dae65913b32, Kernel Patch b9eccd59697f, and Kernel Patch f69535b77fa0. Rebuild and deploy a kernel image that includes the matching commit for your stable branch.

Workarounds

  • Where patching is delayed, minimize operations that trigger probe deferral or driver rebind on the mtk-smi driver.
  • Pin module load order so that SMI dependencies are satisfied before larb probe to reduce deferred-probe cycles.
  • Schedule full system reboots in place of module reloads on affected platforms until the fix is deployed.
bash
# Verify the running kernel version and confirm the mtk-smi commit is present
uname -r
grep -E 'mtk-smi|mtk_smi' /proc/modules
# Check vendor-supplied changelog for the matching stable commit hash before deployment

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.