CVE-2025-71096 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not.
Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL.
Remove the for loop searching for the nla, and squash the validation and parsing into one function.
Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query.
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline]
ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline]
__do_compat_sys_sendmsg net/compat.c:353 [inline]
__se_compat_sys_sendmsg net/compat.c:350 [inline]
__ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability CVE-2025-71096 resides within the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically in the handling of netlink responses for the RDMA_NL_LS_OP_IP_RESOLVE operation. This flaw manifests as an uninitialized memory read that occurs when userspace fails to provide the required LS_NLA_TYPE_DGID attribute in the netlink response. The issue stems from improper parsing logic where the kernel attempts to access data from a netlink attribute array without ensuring the presence of the DGID attribute, leading to memory corruption and potential exploitation. The vulnerability is classified under CWE-457 as use of uninitialized variable, which aligns with the kernel's improper handling of netlink attribute parsing.
The technical execution of this vulnerability involves the kernel's processing of RDMA netlink messages through the ib_nl_handle_ip_res_resp function in drivers/infiniband/core/addr.c. When the kernel receives a response to an RDMA_NL_LS_OP_IP_RESOLVE query, it should validate that the LS_NLA_TYPE_DGID attribute is present before attempting to process it. The original implementation used a for loop to search for the attribute, which was inefficient and error-prone. The fix implements proper netlink parsing using nla_parse_deprecated() to populate the nlattrs array, then directly indexes into this array to retrieve DGID data. This change eliminates the possibility of accessing uninitialized memory and prevents the kernel from performing operations on invalid data.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation or denial of service conditions. When userspace applications fail to provide the DGID attribute in response to kernel-initiated RDMA queries, the kernel's uninitialized memory read can trigger undefined behavior, including potential information disclosure or system instability. The KMSAN (Kernel Memory Sanitizer) reports indicate that the uninitialized value flows through hex_byte_pack, ip6_string, and vsnprintf functions, demonstrating how the uninitialized memory propagates through the kernel's string formatting and printing subsystems. This vulnerability affects systems utilizing RDMA functionality and can be exploited by unprivileged users to cause system instability or potentially gain elevated privileges.
Mitigation strategies for this vulnerability require kernel updates that implement the proper netlink attribute parsing as described in the fix. System administrators should prioritize applying the patched kernel version to prevent exploitation. Additional defensive measures include monitoring for abnormal RDMA netlink traffic patterns and implementing proper input validation for RDMA operations. The fix aligns with ATT&CK technique T1068 by addressing privilege escalation vectors through kernel memory corruption, and T1499 by preventing denial of service conditions that could result from uninitialized memory access. Organizations should also consider implementing runtime protections such as kernel lockdown modes and restricting RDMA operations to trusted users and processes to minimize the attack surface.