FKIE_CVE-2025-71133

Vulnerability from fkie_nvd - Published: 2026-01-14 15:16 - Updated: 2026-03-25 18:04
Severity ?
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour. Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: [...] Workqueue: events rt6_probe_deferred Call Trace: <IRQ> dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0 </IRQ>
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885fPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021daPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.14
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "102AA369-FA9F-42BE-821F-C58E5C5DABDD",
              "versionEndExcluding": "5.15.198",
              "versionStartIncluding": "5.14.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C10CC03E-16A9-428A-B449-40D3763E15F6",
              "versionEndExcluding": "6.1.160",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "43C3A206-5EEE-417B-AA0F-EF8972E7A9F0",
              "versionEndExcluding": "6.6.120",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B",
              "versionEndExcluding": "6.12.64",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B",
              "versionEndExcluding": "6.18.4",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*",
              "matchCriteriaId": "6A05198E-F8FA-4517-8D0E-8C95066AED38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: avoid invalid read in irdma_net_event\n\nirdma_net_event() should not dereference anything from \"neigh\" (alias\n\"ptr\") until it has checked that the event is NETEVENT_NEIGH_UPDATE.\nOther events come with different structures pointed to by \"ptr\" and they\nmay be smaller than struct neighbour.\n\nMove the read of neigh-\u003edev under the NETEVENT_NEIGH_UPDATE case.\n\nThe bug is mostly harmless, but it triggers KASAN on debug kernels:\n\n BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]\n Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554\n\n CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1\n Hardware name: [...]\n Workqueue: events rt6_probe_deferred\n Call Trace:\n  \u003cIRQ\u003e\n  dump_stack_lvl+0x60/0xb0\n  print_address_description.constprop.0+0x2c/0x3f0\n  print_report+0xb4/0x270\n  kasan_report+0x92/0xc0\n  irdma_net_event+0x32e/0x3b0 [irdma]\n  notifier_call_chain+0x9e/0x180\n  atomic_notifier_call_chain+0x5c/0x110\n  rt6_do_redirect+0xb91/0x1080\n  tcp_v6_err+0xe9b/0x13e0\n  icmpv6_notify+0x2b2/0x630\n  ndisc_redirect_rcv+0x328/0x530\n  icmpv6_rcv+0xc16/0x1360\n  ip6_protocol_deliver_rcu+0xb84/0x12e0\n  ip6_input_finish+0x117/0x240\n  ip6_input+0xc4/0x370\n  ipv6_rcv+0x420/0x7d0\n  __netif_receive_skb_one_core+0x118/0x1b0\n  process_backlog+0xd1/0x5d0\n  __napi_poll.constprop.0+0xa3/0x440\n  net_rx_action+0x78a/0xba0\n  handle_softirqs+0x2d4/0x9c0\n  do_softirq+0xad/0xe0\n  \u003c/IRQ\u003e"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/irdma: evitar lectura inv\u00e1lida en irdma_net_event\n\nirdma_net_event() no deber\u00eda desreferenciar nada de \u0027neigh\u0027 (alias \u0027ptr\u0027) hasta que haya comprobado que el evento es NETEVENT_NEIGH_UPDATE. Otros eventos vienen con diferentes estructuras apuntadas por \u0027ptr\u0027 y pueden ser m\u00e1s peque\u00f1as que struct neighbour.\n\nMover la lectura de neigh-\u0026gt;dev bajo el caso NETEVENT_NEIGH_UPDATE.\n\nEl error es mayormente inofensivo, pero activa KASAN en kernels de depuraci\u00f3n:\n\n ERROR: KASAN: desbordamiento de pila en irdma_net_event+0x32e/0x3b0 [irdma]\n Lectura de tama\u00f1o 8 en la direcci\u00f3n ffffc900075e07f0 por la tarea kworker/27:2/542554\n\n CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1\n Hardware name: [...]\n Workqueue: events rt6_probe_deferred\n Rastro de Llamada:\n  \n  dump_stack_lvl+0x60/0xb0\n  print_address_description.constprop.0+0x2c/0x3f0\n  print_report+0xb4/0x270\n  kasan_report+0x92/0xc0\n  irdma_net_event+0x32e/0x3b0 [irdma]\n  notifier_call_chain+0x9e/0x180\n  atomic_notifier_call_chain+0x5c/0x110\n  rt6_do_redirect+0xb91/0x1080\n  tcp_v6_err+0xe9b/0x13e0\n  icmpv6_notify+0x2b2/0x630\n  ndisc_redirect_rcv+0x328/0x530\n  icmpv6_rcv+0xc16/0x1360\n  ip6_protocol_deliver_rcu+0xb84/0x12e0\n  ip6_input_finish+0x117/0x240\n  ip6_input+0xc4/0x370\n  ipv6_rcv+0x420/0x7d0\n  __netif_receive_skb_one_core+0x118/0x1b0\n  process_backlog+0xd1/0x5d0\n  __napi_poll.constprop.0+0xa3/0x440\n  net_rx_action+0x78a/0xba0\n  handle_softirqs+0x2d4/0x9c0\n  do_softirq+0xad/0xe0\n  "
    }
  ],
  "id": "CVE-2025-71133",
  "lastModified": "2026-03-25T18:04:12.687",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-14T15:16:03.053",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.