CVE-2025-71112
Published: 14 January 2026
Summary
CVE-2025-71112 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2025-71112 is a vulnerability in the Linux kernel's hns3 network driver, where VLAN IDs received via a VLAN configuration mailbox from a virtual function (VF) are not validated before use. This can lead to out-of-bounds memory access in the vlan_del_fail_bmap array, which is sized based on BITS_TO_LONGS(VLAN_N_VID). If the VLAN ID is greater than or equal to VLAN_N_VID, it triggers the issue, classified under CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. In SR-IOV environments where VFs communicate with the physical function (PF) via mailboxes, a malicious VF can send a crafted VLAN configuration message containing an oversized VLAN ID. Successful exploitation enables high-impact confidentiality violations through out-of-bounds reads and high-impact availability disruptions, such as kernel crashes, while integrity impact remains none.
Mitigation involves applying kernel patches that add VLAN ID validation to ensure values stay within the VLAN_N_VID range before processing. Relevant stable kernel commits include 00e56a7706e10b3d00a258d81fcb85a7e96372d6, 42c91dfa772c57de141e5a55a187ac760c0fd7e1, 46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8, 6ef935e65902bfed53980ad2754b06a284ea8ac1, and 91a51d01be5c9f82c12c2921ca5cceaa31b67128, available via git.kernel.org.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2506
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is…
more
BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read in hns3 driver enables privilege escalation via crafted VF mailbox message in SR-IOV setups.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of VLAN ID values received from VF mailbox messages before they are used as array indexes into vlan_del_fail_bmap.
Enforces information flow rules on untrusted mailbox messages sent by VFs to the PF driver, blocking malformed VLAN configuration data.
Requires isolation between VF and PF address spaces so that an invalid VLAN ID from a VF cannot cause out-of-bounds kernel memory access.