FKIE_CVE-2025-71096

Vulnerability from fkie_nvd - Published: 2026-01-13 16:16 - Updated: 2026-03-25 16:59
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fcPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47caPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ecPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624dPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 4.7
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D7D3E72-3D01-4F26-8FA2-72370332ACC4",
              "versionEndExcluding": "5.10.248",
              "versionStartIncluding": "4.7.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E",
              "versionEndExcluding": "5.15.198",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6",
              "versionEndExcluding": "6.1.160",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0",
              "versionEndExcluding": "6.6.120",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B",
              "versionEndExcluding": "6.12.64",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B",
              "versionEndExcluding": "6.18.4",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:4.7:-:*:*:*:*:*:*",
              "matchCriteriaId": "2F890998-2B89-4DE8-BA87-5B3D9A5E8E11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly\n\nThe netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a\nLS_NLA_TYPE_DGID attribute, it is invalid if it does not.\n\nUse the nl parsing logic properly and call nla_parse_deprecated() to fill\nthe nlattrs array and then directly index that array to get the data for\nthe DGID. Just fail if it is NULL.\n\nRemove the for loop searching for the nla, and squash the validation and\nparsing into one function.\n\nFixes an uninitialized read from the stack triggered by userspace if it\ndoes not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE\nquery.\n\n    BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]\n    BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n     hex_byte_pack include/linux/hex.h:13 [inline]\n     ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n     ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509\n     ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633\n     pointer+0xc09/0x1bd0 lib/vsprintf.c:2542\n     vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930\n     vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279\n     vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426\n     vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465\n     vprintk+0x36/0x50 kernel/printk/printk_safe.c:82\n     _printk+0x17e/0x1b0 kernel/printk/printk.c:2475\n     ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]\n     ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141\n     rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]\n     rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n     rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259\n     netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n     netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346\n     netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896\n     sock_sendmsg_nosec net/socket.c:714 [inline]\n     __sock_sendmsg+0x333/0x3d0 net/socket.c:729\n     ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617\n     ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671\n     __sys_sendmsg+0x1aa/0x300 net/socket.c:2703\n     __compat_sys_sendmsg net/compat.c:346 [inline]\n     __do_compat_sys_sendmsg net/compat.c:353 [inline]\n     __se_compat_sys_sendmsg net/compat.c:350 [inline]\n     __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350\n     ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371\n     do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n     __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306\n     do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n     do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/core: Comprobar la presencia de LS_NLA_TYPE_DGID correctamente\n\nLa respuesta netlink para RDMA_NL_LS_OP_IP_RESOLVE siempre debe tener un atributo LS_NLA_TYPE_DGID; es inv\u00e1lida si no lo tiene.\n\nUsar la l\u00f3gica de an\u00e1lisis nl correctamente y llamar a nla_parse_deprecated() para rellenar el array nlattrs y luego indexar directamente ese array para obtener los datos para el DGID. Simplemente fallar si es NULL.\n\nEliminar el bucle for que busca el nla, y fusionar la validaci\u00f3n y el an\u00e1lisis en una sola funci\u00f3n.\n\nCorrige una lectura no inicializada de la pila activada por el espacio de usuario si no proporciona el DGID a una consulta RDMA_NL_LS_OP_IP_RESOLVE iniciada por el kernel.\n\n    BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]\n    BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n     hex_byte_pack include/linux/hex.h:13 [inline]\n     ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n     ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509\n     ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633\n     pointer+0xc09/0x1bd0 lib/vsprintf.c:2542\n     vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930\n     vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279\n     vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426\n     vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465\n     vprintk+0x36/0x50 kernel/printk/printk_safe.c:82\n     _printk+0x17e/0x1b0 kernel/printk/printk.c:2475\n     ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]\n     ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141\n     rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]\n     rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n     rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259\n     netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n     netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346\n     netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896\n     sock_sendmsg_nosec net/socket.c:714 [inline]\n     __sock_sendmsg+0x333/0x3d0 net/socket.c:729\n     ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617\n     ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671\n     __sys_sendmsg+0x1aa/0x300 net/socket.c:2703\n     __compat_sys_sendmsg net/compat.c:346 [inline]\n     __do_compat_sys_sendmsg net/compat.c:353 [inline]\n     __se_compat_sys_sendmsg net/compat.c:350 [inline]\n     __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350\n     ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371\n     do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n     __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306\n     do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n     do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3"
    }
  ],
  "id": "CVE-2025-71096",
  "lastModified": "2026-03-25T16:59:19.683",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-13T16:16:09.470",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-908"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.