CVE-2025-71064

Vulnerability

Analysis

CVE-2025-71064 describes a resource allocation mismatch in the Linux kernel's HNS3 network driver, specifically in the virtual function (VF) handling code. The driver allocates two arrays: hdev->htqp using hdev->num_tqps and kinfo->tqp using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps), which can be smaller than hdev->num_tqps. This leads to a scenario where some elements of hdev->htqp[index] remain uninitialized because the loop in hclgevf_knic_setup() only iterates up to kinfo->num_tqps [1].

Exploitability

An attacker with the ability to trigger the knic_setup path in the HNS3 VF driver—likely via network configuration changes or device hotplug—could cause the kernel to access uninitialized memory. This does not require remote network access but may require local capabilities to manipulate network interfaces [2].

Impact

When the driver attempts to use the uninitialized hdev->htqp entries (e.g., for queue operations), the kernel may dereference a wild pointer, causing a kernel panic (Oops) or memory corruption. This could lead to denial of service (DoS) or, in principle, system instability [3]. The privilege required is low (local user with netlink/sysfs access), and availability impact is high.

Mitigation

The fix, merged into the mainline kernel, changes both allocations to consistently use hdev->num_tqps, ensuring all htqp entries are properly initialized. Users should apply the corresponding stable kernel updates for their distribution [1][2]. No workaround is available aside from upgrading.