CVE-2025-71285 - Vulnerability Details

- net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels

Description

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels

MHI stack offers the 'auto_queue' feature, which allows the MHI stack to
auto queue the buffers for the RX path (DL channel). Though this feature
simplifies the client driver design, it introduces race between the client
drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback'
for the DL channel may get called before the client driver is fully probed.
This means, by the time the dl_callback gets called, the client driver's
structures might not be initialized, leading to NULL ptr dereference.

Currently, the drivers have to workaround this issue by initializing the
internal structures before calling mhi_prepare_for_transfer_autoqueue().
But even so, there is a chance that the client driver's internal code path
may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is
called, leading to similar NULL ptr dereference. This issue has been
reported on the Qcom X1E80100 CRD machines affecting boot.

So to properly fix all these races, drop the MHI 'auto_queue' feature
altogether and let the client driver (QRTR) manage the RX buffers manually.
In the QRTR driver, queue the RX buffers based on the ring length during
probe and recycle the buffers in 'dl_callback' once they are consumed. This
also warrants removing the setting of 'auto_queue' flag from controller
drivers.

Currently, this 'auto_queue' feature is only enabled for IPCR DL channel.
So only the QRTR client driver requires the modification.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition exists in the MHI stack’s auto_queue feature for IPCR DL channels; when the QRTR client driver is not fully initialized, the dl_callback can invoke before driver structures are set up, causing a NULL pointer dereference and a kernel crash. This fault falls under missing ordering (CWE-366) and NULL pointer dereference (CWE-476). The resulting crash during early boot can render the system unbootable, effectively creating a denial of service.

Affected Systems

The affected product is the Linux kernel. Any kernel configuration that enables the MHI auto_queue feature for IPCR DL channels is susceptible, including the Qcom X1E80100 CRD machines where the issue was observed during boot. There is no version bound in the advisory; the vulnerability applies to all kernel releases containing the implicated code.

Risk and Exploitability

The severity is scored 5.5 on CVSS, indicating moderate risk. The EPSS score is 0.00022, reflecting a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector occurs during system boot when local privileged or kernel‑level control could trigger the race; exploitation requires influencing driver initialization. Because the bug leads to a crash rather than privilege elevation, the primary consequence is service disruption rather than confidentiality or integrity compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`227fee5fc99eeb74d43bf68832f6d59d30ac07d8`	affected	< 7bdff9b9b0c65ac7105416fe3a40686832515e20
`227fee5fc99eeb74d43bf68832f6d59d30ac07d8`	affected	< 8c464e00e0754e016816b1860fa9592dcad80eb2
`227fee5fc99eeb74d43bf68832f6d59d30ac07d8`	affected	< 51731792a25cb312ca94cdccfa139eb46de1b2ef
`c682fb70a7dfc25b848a4ff3a385b0471b470606`	affected	—
`5.15.63`	affected	< 5.16

Linux

affected

Version	Status	Constraints
`5.17`	affected	—
`0`	unaffected	< 5.17
`6.18.17`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[227fee5fc99eeb74d43bf68832f6d59d30ac07d8,7bdff9b9b0c65ac7105416fe3a40686832515e20)`	affected	code_commit	—
`[227fee5fc99eeb74d43bf68832f6d59d30ac07d8,8c464e00e0754e016816b1860fa9592dcad80eb2)`	affected	code_commit	—
`[227fee5fc99eeb74d43bf68832f6d59d30ac07d8,51731792a25cb312ca94cdccfa139eb46de1b2ef)`	affected	code_commit	—
`c682fb70a7dfc25b848a4ff3a385b0471b470606`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.17`	affected	generic	—
`[0,5.17)`	unaffected	generic	—
`[6.18.17,6.18.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—
`[6.19.6,6.19.*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream kernel patch that removes the MHI auto_queue feature for IPCR DL channels, eliminating the race condition.
If the patch cannot be applied immediately, reconfigure the controller drivers to disable the auto_queue flag and modify the QRTR driver so that it pre‑allocates and recycles RX buffers locally during probe and in dl_callback.
Restart the system after applying any configuration changes to ensure the updated code takes effect and prevents the race during boot.

Generated by OpenCVE AI on May 12, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/51731792a25cb312ca94cdccfa139eb46de1b2ef
https://git.kernel.org/stable/c/7bdff9b9b0c65ac7105416fe3a40686832515e20
https://git.kernel.org/stable/c/8c464e00e0754e016816b1860fa9592dcad80eb2
https://lore.kernel.org/linux-cve-announce/2026050630-CVE-2025-71285-4521@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-71285
https://www.cve.org/CVERecord?id=CVE-2025-71285

History

Tue, 12 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 07 May 2026 02:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-476

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-366
References		https://lore.kernel.org/linux-cve-announce/2026050630-CVE-2025-71285-4521@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-71285 https://www.cve.org/CVERecord?id=CVE-2025-71285
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 06 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels MHI stack offers the 'auto_queue' feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback' for the DL channel may get called before the client driver is fully probed. This means, by the time the dl_callback gets called, the client driver's structures might not be initialized, leading to NULL ptr dereference. Currently, the drivers have to workaround this issue by initializing the internal structures before calling mhi_prepare_for_transfer_autoqueue(). But even so, there is a chance that the client driver's internal code path may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is called, leading to similar NULL ptr dereference. This issue has been reported on the Qcom X1E80100 CRD machines affecting boot. So to properly fix all these races, drop the MHI 'auto_queue' feature altogether and let the client driver (QRTR) manage the RX buffers manually. In the QRTR driver, queue the RX buffers based on the ring length during probe and recycle the buffers in 'dl_callback' once they are consumed. This also warrants removing the setting of 'auto_queue' flag from controller drivers. Currently, this 'auto_queue' feature is only enabled for IPCR DL channel. So only the QRTR client driver requires the modification.
Title		net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/51731792a25cb312ca94cdccfa139eb46de1b2ef https://git.kernel.org/stable/c/7bdff9b9b0c65ac7105416fe3a40686832515e20 https://git.kernel.org/stable/c/8c464e00e0754e016816b1860fa9592dcad80eb2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:32:18.774Z

Updated: 2026-05-23T16:03:34.648Z

Reserved: 2026-05-06T11:31:45.509Z

Link: CVE-2025-71285

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:27.613

Modified: 2026-05-12T21:25:04.157

Link: CVE-2025-71285

Redhat

Severity : Low

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2025-71285 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-12T23:15:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object