CVE-2025-71092

13.01.2026, 16:16

In the Linux kernel, the following vulnerability has been resolved:

RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()

Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters
update") added three new counters and placed them after
BNXT_RE_OUT_OF_SEQ_ERR.

BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware
statistics with different num_counters values on chip_gen_p5_p7 devices.

As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating
hw_stats, which leads to an out-of-bounds write in
bnxt_re_copy_err_stats().

The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and
BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not
only p5/p7 devices.

Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they
are included in the generic counter set.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
trixie	6.12.63-1 not-affected
bookworm	6.1.159-1 not-affected
bullseye (security)	5.10.247-1 fixed
bookworm (security)	6.1.158-1 fixed
trixie (security)	6.12.48-1 fixed
forky	vulnerable
sid	vulnerable

References

https://git.kernel.org/stable/c/369a161c48723f60f06f3510b82ea7d96d0499ab

https://git.kernel.org/stable/c/9b68a1cc966bc947d00e4c0df7722d118125aa37