CVE-2025-71291 Overview
CVE-2025-71291 is a null pointer dereference vulnerability in the Linux kernel's Broadcom VK (bcm_vk) misc driver. The flaw resides in the bcm_vk_read() function, where the entry pointer is checked for NULL but subsequently dereferenced when rc is set to -EMSGSIZE. An attacker with local access to the device interface can trigger the dereference, causing a kernel crash and a denial-of-service condition. Upstream maintainers resolved the issue by copying the required fields (to_h_msg, usr_msg_id, and to_h_blks) from the iterator into temporary variables before they are returned to userspace.
Critical Impact
Local users with access to the bcm_vk character device can crash the kernel through a null pointer dereference, resulting in denial of service.
Affected Products
- Linux kernel versions containing the bcm_vk misc driver prior to the patched commits
- Distributions shipping the unpatched Broadcom VK driver
- Systems exposing the bcm_vk device node to non-privileged users
Discovery Timeline
- 2026-05-06 - CVE-2025-71291 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-71291
Vulnerability Analysis
The vulnerability is a null pointer dereference [CWE-476] in the bcm_vk_read() function of the Broadcom VK misc driver. The function explicitly verifies that the entry pointer may be NULL before continuing execution. However, when the return code rc is assigned -EMSGSIZE, subsequent code paths still dereference entry to access entry->to_h_msg[0], entry->usr_msg_id, and entry->to_h_blks. Reaching this state with a NULLentry causes the kernel to fault.
The upstream fix relocates the data copy. Instead of dereferencing entry after the null check fails, the patch reads the message header, user message ID, and block count from the iterator earlier in the function and stores them in stack-local temporaries. The function then returns those temporaries to the caller, eliminating the unsafe dereference path.
Root Cause
The root cause is inconsistent handling of a pointer that the code itself documents as potentially NULL. Defensive checks were added without refactoring the downstream consumers, leaving a window where an error branch reuses a freed or unset entry reference.
Attack Vector
Exploitation requires local access to the bcm_vk character device exposed by the driver. A user-space process issuing read operations under specific message-size error conditions can drive the function into the vulnerable branch. The result is a kernel oops or panic, producing denial of service on systems where the Broadcom VK accelerator driver is loaded.
No verified public proof-of-concept code is available. See the linked stable kernel commits for the authoritative source-level changes.
Detection Methods for CVE-2025-71291
Indicators of Compromise
- Kernel oops or panic messages referencing bcm_vk_read in dmesg or /var/log/kern.log
- Unexpected crashes on systems with Broadcom VK accelerator hardware and the bcm_vk module loaded
- Repeated short reads or -EMSGSIZE errors on /dev/bcm-vk.* device nodes followed by process or system instability
Detection Strategies
- Inventory hosts where lsmod | grep bcm_vk returns the module and confirm kernel build versus the patched stable commits
- Monitor kernel ring buffer for null pointer dereference traces with frames originating in the bcm_vk driver
- Correlate process activity that opens /dev/bcm-vk* device files with subsequent kernel fault events
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on BUG: kernel NULL pointer dereference events tied to bcm_vk symbols
- Track package versions for the running kernel and flag hosts that are not aligned with the fixed stable releases
- Restrict and audit user access to Broadcom VK device nodes through Linux Audit (auditd) rules
How to Mitigate CVE-2025-71291
Immediate Actions Required
- Update affected systems to a Linux kernel build that includes the upstream stable fixes referenced below
- Where patching is not immediate, unload or blacklist the bcm_vk module on hosts that do not require Broadcom VK functionality
- Restrict permissions on /dev/bcm-vk* device nodes so only trusted service accounts can open them
Patch Information
The issue is resolved across multiple Linux stable branches in the following commits: Linux Kernel Commit 20f2d9d, Linux Kernel Commit 3842f93e, Linux Kernel Commit 741c5a3a, Linux Kernel Commit aa97ccc3, Linux Kernel Commit ba75ecb9, and Linux Kernel Commit ece37221. Apply the kernel update appropriate to your distribution and reboot to load the fixed image.
Workarounds
- Blacklist the bcm_vk module via /etc/modprobe.d/ on systems that do not use Broadcom VK accelerators
- Tighten device permissions with udev rules so unprivileged users cannot open /dev/bcm-vk*
- Limit container and VM exposure of the host bcm_vk device to reduce the attack surface until patches are deployed
# Configuration example: blacklist the bcm_vk module until the kernel is patched
echo "blacklist bcm_vk" | sudo tee /etc/modprobe.d/blacklist-bcm_vk.conf
sudo rmmod bcm_vk 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
