CVE-2025-71092

# CVE-2025-71092 PoC - Linux Kernel RDMA/bnxt_re OOB Write # This PoC demonstrates triggering the OOB write in bnxt_re_copy_err_stats() # Note: Requires bnxt_re hardware and specific kernel version import os import sys def check_vulnerability(): """Check if system is vulnerable to CVE-2025-71092""" print("[*] Checking vulnerability status for CVE-2025-71092") print("[*] Target: Linux kernel RDMA/bnxt_re driver") # Check kernel version kernel_version = os.popen("uname -r").read().strip() print(f"[*] Current kernel version: {kernel_version}") # Check if bnxt_re module is loaded result = os.popen("lsmod | grep bnxt_re").read() if result: print(f"[+] bnxt_re module is loaded: {result.strip()}") else: print("[-] bnxt_re module is not loaded") print("[*] Vulnerability requires bnxt_re hardware to be present") return False # Check for Mellanox/Broadcom network adapters lspci_result = os.popen("lspci | grep -iE 'ethernet|network' | grep -iE 'broadcom|mellanox'").read() if lspci_result: print(f"[+] Found compatible hardware: {lspci_result.strip()}") print("[*] For full exploitation, kernel debugging and hardware access required") print("[*] Recommended action: Update to patched kernel version") return None def trigger_vulnerability(): """ Attempt to trigger the OOB write condition This requires specific RDMA operations on vulnerable hardware """ print("[*] Attempting to trigger vulnerability...") print("[!] Warning: This may cause system instability or crash") print("[*] Trigger method: Execute RDMA operations that access error counters") print("[*] Expected result: Kernel oops/panic due to OOB write in hw_stats") # The actual trigger would involve: # 1. Loading the bnxt_re module on vulnerable hardware # 2. Initializing RDMA resources # 3. Triggering error conditions that populate the counters # 4. The bnxt_re_copy_err_stats() function writes beyond allocated buffer return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-71092 PoC - Linux Kernel bnxt_re OOB Write") print("=" * 60) check_vulnerability() print("\n[*] For detailed exploitation, refer to kernel source analysis") print("[*] Key functions: bnxt_re_copy_err_stats(), BNXT_RE_NUM_STD_COUNTERS") print("[*] Vulnerable commits: ef56081d1864")

{"cve": {"id": "CVE-2025-71092", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:08.923", "lastModified": "2026-03-25T17:42:06.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()\n\nCommit ef56081d1864 (\"RDMA/bnxt_re: RoCE related hardware counters\nupdate\") added three new counters and placed them after\nBNXT_RE_OUT_OF_SEQ_ERR.\n\nBNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware\nstatistics with different num_counters values on chip_gen_p5_p7 devices.\n\nAs a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating\nhw_stats, which leads to an out-of-bounds write in\nbnxt_re_copy_err_stats().\n\nThe counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and\nBNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not\nonly p5/p7 devices.\n\nFix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they\nare included in the generic counter set."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/bnxt_re: Corrección de escritura fuera de límites en bnxt_re_copy_err_stats()\n\nEl commit ef56081d1864 ('RDMA/bnxt_re: actualización de contadores de hardware relacionados con RoCE') añadió tres nuevos contadores y los colocó después de BNXT_RE_OUT_OF_SEQ_ERR.\n\nBNXT_RE_OUT_OF_SEQ_ERR actúa como un marcador de límite para la asignación de estadísticas de hardware con diferentes valores de num_counters en dispositivos chip_gen_p5_p7.\n\nComo resultado, se utilizan BNXT_RE_NUM_STD_COUNTERS al asignar hw_stats, lo que lleva a una escritura fuera de límites en bnxt_re_copy_err_stats().\n\nLos contadores BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR y BNXT_RE_RESP_REMOTE_ACCESS_ERRS son aplicables a hardware genérico, no solo a dispositivos p5/p7.\n\nEsto se corrige moviendo estos contadores antes de BNXT_RE_OUT_OF_SEQ_ERR para que se incluyan en el conjunto de contadores genéricos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.1", "versionEndExcluding": "6.18.4", "matchCriteriaId": "036686AC-DC7A-4773-9B77-D9E4937BFDC3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/369a161c48723f60f06f3510b82ea7d96d0499ab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9b68a1cc966bc947d00e4c0df7722d118125aa37", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}