Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71288

CVE-2025-71288: Linux Kernel MTK-SMI Memory Vulnerability

CVE-2025-71288 is a memory device leak flaw in the Linux kernel MTK-SMI component that causes reference leaks during probe failure. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-71288 Overview

CVE-2025-71288 affects the Linux kernel's MediaTek Smart Multimedia Interface (mtk-smi) memory driver. The vulnerability is a device reference leak that occurs during the common probe path. The driver fails to drop the reference taken when looking up the SMI device after a late probe failure, such as probe deferral, and on driver unbind.

The issue has been resolved in the upstream Linux kernel through multiple stable branch backports. The defect represents a resource management flaw rather than a directly exploitable memory corruption primitive, but unbounded reference accumulation can affect device lifecycle correctness on MediaTek platforms.

Critical Impact

The driver leaks device references on probe deferral and unbind, preventing proper cleanup of the SMI device structure on affected MediaTek platforms.

Affected Products

  • Linux kernel memory: mtk-smi driver (MediaTek SMI memory subsystem)
  • Stable kernel branches receiving backports referenced in commit IDs 6cfa038b, 9704564a, 984992f3, b16599fe, b44d090d, and b8b2cf42
  • MediaTek SoC platforms relying on the SMI common driver for memory bus arbitration

Discovery Timeline

  • 2026-05-06 - CVE-2025-71288 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2025-71288

Vulnerability Analysis

The Linux kernel mtk-smi driver manages MediaTek's Smart Multimedia Interface, which arbitrates memory bus access for multimedia engines. During the common probe routine, the driver performs a lookup to acquire a reference to the SMI device structure. This reference must be released along the failure and teardown paths.

The defect occurs when the probe fails late, for example through -EPROBE_DEFER returned by a downstream dependency, or when the driver is later unbound from the device. In these paths the reference taken at lookup is not dropped. Each occurrence increments the device refcount without a matching decrement.

The upstream fix ensures that the reference acquired during lookup is released on both late probe failure and on remove, restoring balanced refcount semantics. This is a resource management correctness fix categorized as a memory leak [CWE-401] in the broader sense of leaked kernel object references.

Root Cause

The root cause is missing cleanup logic in the mtk-smi common probe and unbind paths. The reference returned by the SMI device lookup is owned by the caller, but the driver omitted the corresponding put_device call when probe progressed past the lookup and then failed, and when the driver was unbound.

Attack Vector

Triggering the leak requires repeated probe deferral or repeated bind/unbind cycles of the mtk-smi driver on a MediaTek platform. There is no remote attack vector. The impact is local to systems running the affected driver and manifests as accumulated kernel object references rather than direct privilege escalation or code execution.

The vulnerability is described in prose only because no public proof-of-concept code is associated with this fix. Refer to the kernel commit for the exact source diff.

Detection Methods for CVE-2025-71288

Indicators of Compromise

  • Repeated EPROBE_DEFER events from the mtk-smi driver visible in dmesg on MediaTek SoCs
  • Increasing kernel object reference counts on SMI platform_device entries under /sys/devices after multiple bind/unbind cycles
  • Kernel running an unpatched stable branch matching the pre-fix commits referenced in the stable tree commit log

Detection Strategies

  • Inventory MediaTek-based Linux systems and confirm the running kernel version against the patched stable branches
  • Audit /sys/bus/platform/drivers/mtk-smi* for devices that fail to release after unbind operations
  • Use kmemleak and refcount tracing (CONFIG_DEBUG_KOBJECT_RELEASE) on engineering builds to validate reference balance during driver bind cycles

Monitoring Recommendations

  • Track kernel package versions across MediaTek device fleets and alert on hosts running pre-patch kernels
  • Monitor kernel logs for repeated mtk-smi probe deferral patterns that would amplify the leak
  • Include kernel patch state in endpoint posture telemetry collected by your EDR or configuration management tooling

How to Mitigate CVE-2025-71288

Immediate Actions Required

  • Identify Linux systems built on MediaTek SoCs that load the mtk-smi driver
  • Apply the stable kernel update that includes the upstream fix for the SMI common probe reference leak
  • Reboot affected hosts after patching to ensure the corrected driver is active

Patch Information

The fix has been merged to multiple stable branches. Reference commits include b8b2cf42, b44d090d, b16599fe, 984992f3, 9704564a, and 6cfa038b. Distribution vendors typically incorporate these into stable kernel point releases.

Workarounds

  • Avoid repeated bind/unbind cycles of the mtk-smi driver on unpatched kernels
  • Resolve probe-deferral conditions by ensuring downstream multimedia drivers and clocks are available at boot to minimize repeated lookups
  • Where vendor kernels cannot be updated immediately, schedule planned reboots to clear accumulated leaked references
bash
# Verify running kernel version and mtk-smi driver state
uname -r
dmesg | grep -i mtk-smi
ls /sys/bus/platform/drivers/mtk-smi*

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.