CVE-2025-71133

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour. Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: [...] Workqueue: events rt6_probe_deferred Call Trace: <IRQ> dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0 </IRQ>

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux内核 5.14.0-630.el9.x86_64 (debug版本)

Linux内核主线 < 修复版本 (commit 305c02e541befe4a44ffde30ed374970f41aeb6c)

Linux内核 stable < 6.1 (部分稳定版本)

Linux内核 stable < 6.6 (部分稳定版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2025-71133: irdma_net_event out-of-bounds read
 * This PoC triggers the vulnerability by causing a NETEVENT_NEIGH_UPDATE
 * event that will be processed by irdma driver.
 * 
 * Note: This is a kernel-level vulnerability, PoC requires kernel module
 * or specific network configuration to trigger.
 */

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/netdevice.h>
#include <net/neighbour.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("PoC Author");
MODULE_DESCRIPTION("CVE-2025-71133 PoC");

/*
 * The vulnerable code pattern in irdma_net_event():
 * 
 * static int irdma_net_event(struct notifier_block *nb, unsigned long event, void *ptr)
 * {
 *     struct neighbour *neigh = ptr;  // <-- Direct assignment without type check
 *     struct net_device *dev = neigh->dev;  // <-- Out-of-bounds read here
 *     
 *     switch (event) {
 *     case NETEVENT_NEIGH_UPDATE:
 *         // ... process update
 *         break;
 *     default:
 *         break;
 *     }
 * }
 *
 * Trigger mechanism:
 * 1. Configure IPv6 routing to trigger ICMPv6 redirect
 * 2. The redirect handler calls rt6_do_redirect()
 * 3. rt6_do_redirect() calls notifier_call_chain()
 * 4. irdma_net_event() receives non-NETEVENT_NEIGH_UPDATE event
 * 5. KASAN detects stack-out-of-bounds read
 */

static int __init cve_2025_71133_init(void)
{
    printk(KERN_INFO "CVE-2025-71133 PoC module loaded\n");
    /*
     * In practice, this vulnerability is triggered through network events,
     * not by loading a module. The PoC involves:
     * - Having irdma driver loaded
     * - IPv6 neighbor discovery triggering redirect
     * - KASAN-enabled kernel detecting the out-of-bounds access
     */
    return 0;
}

static void __exit cve_2025_71133_exit(void)
{
    printk(KERN_INFO "CVE-2025-71133 PoC module unloaded\n");
}

module_init(cve_2025_71133_init);
module_exit(cve_2025_71133_exit);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71133
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71133
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71133/
[4] VulDB https://vuldb.com/cve/CVE-2025-71133
[5] https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c
[6] https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0
[7] https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f
[8] https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354
[9] https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da
[10] https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71133", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:03.053", "lastModified": "2026-03-25T18:04:12.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: avoid invalid read in irdma_net_event\n\nirdma_net_event() should not dereference anything from \"neigh\" (alias\n\"ptr\") until it has checked that the event is NETEVENT_NEIGH_UPDATE.\nOther events come with different structures pointed to by \"ptr\" and they\nmay be smaller than struct neighbour.\n\nMove the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.\n\nThe bug is mostly harmless, but it triggers KASAN on debug kernels:\n\n BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]\n Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554\n\n CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1\n Hardware name: [...]\n Workqueue: events rt6_probe_deferred\n Call Trace:\n <IRQ>\n dump_stack_lvl+0x60/0xb0\n print_address_description.constprop.0+0x2c/0x3f0\n print_report+0xb4/0x270\n kasan_report+0x92/0xc0\n irdma_net_event+0x32e/0x3b0 [irdma]\n notifier_call_chain+0x9e/0x180\n atomic_notifier_call_chain+0x5c/0x110\n rt6_do_redirect+0xb91/0x1080\n tcp_v6_err+0xe9b/0x13e0\n icmpv6_notify+0x2b2/0x630\n ndisc_redirect_rcv+0x328/0x530\n icmpv6_rcv+0xc16/0x1360\n ip6_protocol_deliver_rcu+0xb84/0x12e0\n ip6_input_finish+0x117/0x240\n ip6_input+0xc4/0x370\n ipv6_rcv+0x420/0x7d0\n __netif_receive_skb_one_core+0x118/0x1b0\n process_backlog+0xd1/0x5d0\n __napi_poll.constprop.0+0xa3/0x440\n net_rx_action+0x78a/0xba0\n handle_softirqs+0x2d4/0x9c0\n do_softirq+0xad/0xe0\n </IRQ>"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/irdma: evitar lectura inválida en irdma_net_event\n\nirdma_net_event() no debería desreferenciar nada de 'neigh' (alias 'ptr') hasta que haya comprobado que el evento es NETEVENT_NEIGH_UPDATE. Otros eventos vienen con diferentes estructuras apuntadas por 'ptr' y pueden ser más pequeñas que struct neighbour.\n\nMover la lectura de neigh->dev bajo el caso NETEVENT_NEIGH_UPDATE.\n\nEl error es mayormente inofensivo, pero activa KASAN en kernels de depuración:\n\n ERROR: KASAN: desbordamiento de pila en irdma_net_event+0x32e/0x3b0 [irdma]\n Lectura de tamaño 8 en la dirección ffffc900075e07f0 por la tarea kworker/27:2/542554\n\n CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1\n Hardware name: [...]\n Workqueue: events rt6_probe_deferred\n Rastro de Llamada:\n \n dump_stack_lvl+0x60/0xb0\n print_address_description.constprop.0+0x2c/0x3f0\n print_report+0xb4/0x270\n kasan_report+0x92/0xc0\n irdma_net_event+0x32e/0x3b0 [irdma]\n notifier_call_chain+0x9e/0x180\n atomic_notifier_call_chain+0x5c/0x110\n rt6_do_redirect+0xb91/0x1080\n tcp_v6_err+0xe9b/0x13e0\n icmpv6_notify+0x2b2/0x630\n ndisc_redirect_rcv+0x328/0x530\n icmpv6_rcv+0xc16/0x1360\n ip6_protocol_deliver_rcu+0xb84/0x12e0\n ip6_input_finish+0x117/0x240\n ip6_input+0xc4/0x370\n ipv6_rcv+0x420/0x7d0\n __netif_receive_skb_one_core+0x118/0x1b0\n process_backlog+0xd1/0x5d0\n __napi_poll.constprop.0+0xa3/0x440\n net_rx_action+0x78a/0xba0\n handle_softirqs+0x2d4/0x9c0\n do_softirq+0xad/0xe0\n "}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14.1", "versionEndExcluding": "5.15.198", "matchCriteriaId": "102AA369-FA9F-42BE-821F-C58E5C5DABDD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.160", "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulne ... (truncated)