Cyber Resilience

CVE-2025-71092

High

Published: 13 January 2026

Published
13 January 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 3.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71092 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-71092 is an out-of-bounds write vulnerability in the Linux kernel's RDMA bnxt_re driver, specifically within the bnxt_re_copy_err_stats() function. The issue stems from a commit that added three new hardware counters—BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS—after the BNXT_RE_OUT_OF_SEQ_ERR boundary marker. This marker determines the allocation size for hardware statistics on chip_gen_p5_p7 devices, causing the function to use BNXT_RE_NUM_STD_COUNTERS for allocation and resulting in an out-of-bounds write when copying error statistics. The vulnerability is classified under CWE-787 with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes within the kernel context.

The provided patch references detail the mitigation: kernel commit 369a161c48723f60f06f3510b82ea7d96d0499ab and 9b68a1cc966bc947d00e4c0df7722d118125aa37 move the three new counters before the BNXT_RE_OUT_OF_SEQ_ERR boundary marker. This ensures they are included in the generic counter set applicable to all hardware, preventing the incorrect allocation and out-of-bounds write. Security practitioners should apply the relevant stable kernel updates containing these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR. BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for…

more

allocating hardware statistics with different num_counters values on chip_gen_p5_p7 devices. As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating hw_stats, which leads to an out-of-bounds write in bnxt_re_copy_err_stats(). The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not only p5/p7 devices. Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they are included in the generic counter set.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local out-of-bounds write in kernel driver directly enables privilege escalation to arbitrary kernel code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.18, 6.19 · 6.18.1 — 6.18.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the out-of-bounds write by requiring timely application of the specific kernel patches that correctly position the new counters before the boundary marker.

prevent

Implements kernel memory protections like address space layout randomization and supervisor mode execution prevention to hinder exploitation of the out-of-bounds write for code execution or corruption.

detect

Facilitates detection of the vulnerable kernel version via vulnerability scanning, enabling proactive patching to address the bnxt_re driver flaw.

References