Security Vulnerability Report
中文
CVE-2025-71154 CVSS 5.5 MEDIUM

CVE-2025-71154

Published: 2026-01-23 15:16:06
Last Modified: 2026-02-26 20:30:51
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked. Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel rtl8150 driver (versions before fix commit 12cab1191d9890097171156d06bfa8d31f1e39c8)
Linux Kernel rtl8150 driver (versions before fix commit 151403e903840c9cf06754097b6732c14f26c532)
Linux Kernel rtl8150 driver (versions before fix commit 2f966186b99550e3c665dbfb87b8314e30acea02)
Linux Kernel rtl8150 driver (versions before fix commit 4bd4ea3eb326608ffc296db12c105f92dc2f2190)
Linux Kernel rtl8150 driver (versions before fix commit 6492ad6439ff1a479fc94dc6052df3628faed8b6)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <linux/module.h> #include <linux/usb.h> #include <linux/netdevice.h> #define RTL8150_VENDOR_ID 0x0bda #define RTL8150_PRODUCT_ID 0x8150 static int trigger_memory_leak(struct usb_device *udev) { struct urb *urb; struct async_req *req; int ret; // Allocate async_req structure req = kzalloc(sizeof(struct async_req), GFP_KERNEL); if (!req) return -ENOMEM; // Allocate URB urb = usb_alloc_urb(0, GFP_KERNEL); if (!urb) { kfree(req); return -ENOMEM; } // Initialize URB with invalid parameters to force failure usb_fill_bulk_urb(urb, udev, usb_sndbulkpipe(udev, 0), req->data, sizeof(req->data), NULL, req); // Submit URB - may fail under certain conditions ret = usb_submit_urb(urb, GFP_KERNEL); if (ret != 0) { // BUG: In vulnerable version, urb and req are NOT freed here // This causes memory leak printk(KERN_ALERT "URB submission failed: %d\n", ret); // In fixed version, add: // usb_free_urb(urb); // kfree(req); return ret; } return 0; } MODULE_LICENSE("GPL");

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-71154", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T15:16:06.327", "lastModified": "2026-02-26T20:30:51.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: fix memory leak on usb_submit_urb() failure\n\nIn async_set_registers(), when usb_submit_urb() fails, the allocated\n async_req structure and URB are not freed, causing a memory leak.\n\n The completion callback async_set_reg_cb() is responsible for freeing\n these allocations, but it is only called after the URB is successfully\n submitted and completes (successfully or with error). If submission\n fails, the callback never runs and the memory is leaked.\n\n Fix this by freeing both the URB and the request structure in the error\n path when usb_submit_urb() fails."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: usb: rtl8150: corregir fuga de memoria en caso de fallo de usb_submit_urb()\n\nEn async_set_registers(), cuando usb_submit_urb() falla, la estructura async_req asignada y el URB no se liberan, causando una fuga de memoria.\n\nLa función de devolución de llamada de finalización async_set_reg_cb() es responsable de liberar estas asignaciones, pero solo se llama después de que el URB se envía con éxito y se completa (con éxito o con error). Si el envío falla, la función de devolución de llamada nunca se ejecuta y la memoria se fuga.\n\nSolucione esto liberando tanto el URB como la estructura de solicitud en la ruta de error cuando usb_submit_urb() falla."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10.1", "versionEndExcluding": "5.10.248", "matchCriteriaId": "EF50C87B-4799-493D-B6D4-1222ADF5285D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.160", "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.120", "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.10:-:*:*:*:*:*:*", "matchCriteriaId": "82D28405-E1F2-43CF-AA38-B228805AFFF9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.10:rc3:*:*:*:*:*:*", "matchCriteriaId": "7B933742-22C3-41D1-9588-C7E7A126DDD3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.10:rc4:*:*:*:*:*:*", "matchCriteriaId": "DC6F70D0-FB0D-4CCA-B54B-2D50D7E05C79"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.10:rc5:*:*:*:*:*:*", "matchCriteriaId": "7531C844-BA6E-44F3-BCBC-1036C21541C4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.10:rc6:*:*:*:*:*:*", "matchCriteriaId": "2DD6E1E7-AF5F-46ED-A729-288651810FFF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.10:rc7:*:*:*:*:*:*", "matchCriteriaId": "7EDF2BC7-2812-4297-9FF3-2CFFE1EE8584"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.