CVE-2025-71092 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()
Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR.
BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statistics with different num_counters values on chip_gen_p5_p7 devices.
As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating hw_stats, which leads to an out-of-bounds write in bnxt_re_copy_err_stats().
The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not only p5/p7 devices.
Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they are included in the generic counter set.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/31/2026
The vulnerability CVE-2025-71092 represents a critical out-of-bounds write condition in the Linux kernel's RDMA subsystem, specifically within the bnxt_re driver responsible for Broadcom NetXtreme II network adapters. This flaw arises from improper handling of hardware statistics counter allocation and management, creating a potential pathway for memory corruption that could be exploited by malicious actors. The issue manifests when the driver attempts to copy error statistics from hardware counters, where the memory layout calculations become incorrect due to misplaced counter definitions.
The technical root cause stems from a commit that introduced three new RoCE-related hardware counters without proper consideration of their placement within the counter array structure. The BNXT_RE_OUT_OF_SEQ_ERR serves as a critical boundary marker that determines how many counters are allocated for different hardware generations, particularly chip_gen_p5_p7 devices. When these new counters were positioned after this boundary marker, the driver's allocation logic incorrectly uses BNXT_RE_NUM_STD_COUNTERS for hardware statistics allocation, which creates a mismatch between the expected and actual memory boundaries. This misalignment directly results in the out-of-bounds write operation within the bnxt_re_copy_err_stats() function.
The operational impact of this vulnerability extends beyond simple memory corruption, as it affects the stability and reliability of RDMA operations across Broadcom network adapters. The flaw specifically impacts systems using chip_gen_p5_p7 devices while also potentially affecting other hardware generations due to the improper counter handling. Attackers could exploit this vulnerability to cause system crashes, data corruption, or potentially achieve privilege escalation depending on the execution context. The vulnerability affects systems where RDMA is enabled and actively used, particularly in high-performance computing environments, data centers, and server configurations that rely on Broadcom network adapters for high-speed data transmission.
The fix implemented addresses the core issue by repositioning the three problematic counters before the BNXT_RE_OUT_OF_SEQ_ERR boundary marker, ensuring they are properly included in the generic counter set that applies to all hardware generations. This approach aligns with the established patterns for hardware counter management and prevents the mismatch that led to the out-of-bounds write condition. The solution follows best practices for memory safety and robustness in kernel-level code, ensuring that all counter definitions are properly accounted for within their intended memory boundaries. This remediation addresses the fundamental design flaw while maintaining compatibility across different hardware generations and preserving the intended functionality of the error statistics collection mechanism.
This vulnerability aligns with CWE-787 (Out-of-bounds Write) and CWE-129 (Improper Validation of Array Index) classifications, demonstrating the critical importance of proper memory boundary checking in kernel drivers. The issue also relates to ATT&CK technique T1068 (Exploitation for Privilege Escalation) as it could potentially be leveraged to gain elevated privileges within the kernel space. The fix demonstrates proper defensive programming practices that should be applied to all kernel subsystems handling hardware statistics and counter management, emphasizing the need for careful consideration of memory layout when extending existing data structures.