DEBIAN-CVE-2025-71084

DEBIAN-CVE-2025-71084 PUBLISHED CVSS 5.5 MEDIUM

In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886 Destroy the ah_attr after canceling the work, it is safe to call this twice.

Risk Scores

CVSS v3.1

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:11	linux	5.10.244-1, 5.10.127-1, 5.10.120-1
Debian	linux
Debian:11	linux-6.1	6.1.158-1, 6.1.153-1, 6.1.148-1
Debian:13	linux	6.12.69-1~bpo12+1, 0, 6.12.38-1
Debian:14	linux	, , 6.16.8-1
Debian:12	linux	6.1.128-1, 6.1.55-1, 6.1.69-1

Exploit Intelligence

4081.3.7.yml (github-poc)

Timeline

Jan 13, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-71084 advisory

Open in Interactive Console →