CVE-2025-71112

// CVE-2025-71112 PoC - HNS3 VLAN id OOB Access // This PoC demonstrates the vulnerability in HNS3 driver's VLAN handling #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> // Simulated vulnerable structure #define VLAN_N_VID 4096 #define BITS_TO_LONGS(nbits) (((nbits) + 63) / 64) typedef struct { unsigned long vlan_del_fail_bmap[BITS_TO_LONGS(VLAN_N_VID)]; int vlan_id; } hns3_vlan_config_t; // Vulnerable function - no validation of vlan_id int hns3_handle_vlan_config(hns3_vlan_config_t *config, int vlan_id) { printf("[+] Processing VLAN config for VLAN ID: %d\n", vlan_id); // VULNERABILITY: No bounds checking on vlan_id // Should check: if (vlan_id >= VLAN_N_VID) return -1; // This causes OOB access when vlan_id >= VLAN_N_VID if (vlan_id >= 0 && vlan_id < VLAN_N_VID) { set_bit(config->vlan_del_fail_bmap, vlan_id); printf("[+] Bit set successfully at index %d\n", vlan_id); } else { // This branch should never be reached in fixed version printf("[-] VULNERABILITY: Out-of-bounds access at index %d!\n", vlan_id); printf("[-] Array size: %d, accessing index: %d\n", BITS_TO_LONGS(VLAN_N_VID), vlan_id / 64); // OOB access occurs here config->vlan_del_fail_bmap[vlan_id / 64] |= (1UL << (vlan_id % 64)); return -1; // Error or potential crash } return 0; } int main(int argc, char *argv[]) { hns3_vlan_config_t config; memset(&config, 0, sizeof(config)); printf("=== CVE-2025-71112 PoC ===\n"); printf("VLAN_N_VID: %d, Bitmap size: %d longs\n\n", VLAN_N_VID, BITS_TO_LONGS(VLAN_N_VID)); // Legitimate VLAN ID (should work) printf("[Test 1] Valid VLAN ID (100):\n"); hns3_handle_vlan_config(&config, 100); // Malicious VLAN ID exceeding VLAN_N_VID printf("\n[Test 2] Malicious VLAN ID (5000 >= VLAN_N_VID):\n"); hns3_handle_vlan_config(&config, 5000); printf("\n[+] PoC completed - vulnerability demonstrated\n"); return 0; }

{"cve": {"id": "CVE-2025-71112", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:00.313", "lastModified": "2026-03-25T19:59:29.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: add VLAN id validation before using\n\nCurrently, the VLAN id may be used without validation when\nreceive a VLAN configuration mailbox from VF. The length of\nvlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause\nout-of-bounds memory access once the VLAN id is bigger than\nor equal to VLAN_N_VID.\n\nTherefore, VLAN id needs to be checked to ensure it is within\nthe range of VLAN_N_VID."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: hns3: añadir validación de ID de VLAN antes de usar\n\nActualmente, el ID de VLAN puede ser usado sin validación cuando se recibe un buzón de configuración de VLAN desde VF. La longitud de vlan_del_fail_bmap es BITS_TO_LONGS(VLAN_N_VID). Puede causar acceso a memoria fuera de límites una vez que el ID de VLAN es mayor o igual que VLAN_N_VID.\n\nPor lo tanto, el ID de VLAN necesita ser verificado para asegurar que está dentro del rango de VLAN_N_VID."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3.1", "versionEndExcluding": "5.10.248", "matchCriteriaId": "FC0F2CC0-B58E-4871-8AFA-7E45B21DE3EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.160", "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.3:-:*:*:*:*:*:*", "matchCriteriaId": "D036D76E-AC69-4382-B4C1-8EDA1ABB2941"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d6 ... (truncated)