CVE-2025-71285 - Vulnerability Details

- net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels

Description

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels

MHI stack offers the 'auto_queue' feature, which allows the MHI stack to
auto queue the buffers for the RX path (DL channel). Though this feature
simplifies the client driver design, it introduces race between the client
drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback'
for the DL channel may get called before the client driver is fully probed.
This means, by the time the dl_callback gets called, the client driver's
structures might not be initialized, leading to NULL ptr dereference.

Currently, the drivers have to workaround this issue by initializing the
internal structures before calling mhi_prepare_for_transfer_autoqueue().
But even so, there is a chance that the client driver's internal code path
may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is
called, leading to similar NULL ptr dereference. This issue has been
reported on the Qcom X1E80100 CRD machines affecting boot.

So to properly fix all these races, drop the MHI 'auto_queue' feature
altogether and let the client driver (QRTR) manage the RX buffers manually.
In the QRTR driver, queue the RX buffers based on the ring length during
probe and recycle the buffers in 'dl_callback' once they are consumed. This
also warrants removing the setting of 'auto_queue' flag from controller
drivers.

Currently, this 'auto_queue' feature is only enabled for IPCR DL channel.
So only the QRTR client driver requires the modification.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from a race condition in the MHI stack’s auto_queue feature, which can trigger a NULL pointer dereference when the QRTR client driver’s structures are accessed before they are fully initialized. When this race occurs during system boot, the driver can crash, rendering the system unbootable and causing a denial of service. The issue exists only for IPCR DL channels and would impact any kernel that includes the QRTR driver and the MHI stack.

Affected Systems

The affected product is the Linux kernel. No specific kernel version range is listed; the vulnerability applies to any configuration that enables the MHI auto_queue feature for IPCR DL channels.

Risk and Exploitability

The CVSS score is not specified, and the EPSS score is unavailable, so the exact risk level cannot be quantified. KEV is not listed. The likely attack vector is during the boot process when the QRTR driver initializes; an attacker would need local privileged or kernel‑mode access to influence driver initialization or to trigger the race. Because the crash occurs before normal operation, the exploit would result in a denial of service rather than privilege escalation. The absence of publicly available exploits suggests the risk is primarily theoretical until the kernel update is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`227fee5fc99eeb74d43bf68832f6d59d30ac07d8`	affected	< 7bdff9b9b0c65ac7105416fe3a40686832515e20
`227fee5fc99eeb74d43bf68832f6d59d30ac07d8`	affected	< 8c464e00e0754e016816b1860fa9592dcad80eb2
`227fee5fc99eeb74d43bf68832f6d59d30ac07d8`	affected	< 51731792a25cb312ca94cdccfa139eb46de1b2ef
`c682fb70a7dfc25b848a4ff3a385b0471b470606`	affected	—

Linux

affected

Version	Status	Constraints
`5.17`	affected	—
`0`	unaffected	< 5.17
`6.18.17`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[227fee5fc99eeb74d43bf68832f6d59d30ac07d8,7bdff9b9b0c65ac7105416fe3a40686832515e20)`	affected	code_commit	—
`[227fee5fc99eeb74d43bf68832f6d59d30ac07d8,8c464e00e0754e016816b1860fa9592dcad80eb2)`	affected	code_commit	—
`[227fee5fc99eeb74d43bf68832f6d59d30ac07d8,51731792a25cb312ca94cdccfa139eb46de1b2ef)`	affected	code_commit	—
`c682fb70a7dfc25b848a4ff3a385b0471b470606`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.17`	affected	generic	—
`[0,5.17)`	unaffected	generic	—
`[6.18.17,6.18.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—
`[6.19.6,6.19.*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream kernel patch that removes the MHI auto_queue feature for IPCR DL channels to eliminate the race condition.
If the patch cannot be applied immediately, configure the system to disable the auto_queue flag in controller drivers and modify the QRTR driver to manually pre‑allocate and recycle RX buffers during probe and callback.
Restart the system after applying these changes to ensure the updated configuration takes effect and prevents the race during boot.

Generated by OpenCVE AI on May 6, 2026 at 13:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/51731792a25cb312ca94cdccfa139eb46de1b2ef
https://git.kernel.org/stable/c/7bdff9b9b0c65ac7105416fe3a40686832515e20
https://git.kernel.org/stable/c/8c464e00e0754e016816b1860fa9592dcad80eb2

History

Wed, 06 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels MHI stack offers the 'auto_queue' feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback' for the DL channel may get called before the client driver is fully probed. This means, by the time the dl_callback gets called, the client driver's structures might not be initialized, leading to NULL ptr dereference. Currently, the drivers have to workaround this issue by initializing the internal structures before calling mhi_prepare_for_transfer_autoqueue(). But even so, there is a chance that the client driver's internal code path may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is called, leading to similar NULL ptr dereference. This issue has been reported on the Qcom X1E80100 CRD machines affecting boot. So to properly fix all these races, drop the MHI 'auto_queue' feature altogether and let the client driver (QRTR) manage the RX buffers manually. In the QRTR driver, queue the RX buffers based on the ring length during probe and recycle the buffers in 'dl_callback' once they are consumed. This also warrants removing the setting of 'auto_queue' flag from controller drivers. Currently, this 'auto_queue' feature is only enabled for IPCR DL channel. So only the QRTR client driver requires the modification.
Title		net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/51731792a25cb312ca94cdccfa139eb46de1b2ef https://git.kernel.org/stable/c/7bdff9b9b0c65ac7105416fe3a40686832515e20 https://git.kernel.org/stable/c/8c464e00e0754e016816b1860fa9592dcad80eb2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:32:18.774Z

Updated: 2026-05-06T11:32:18.774Z

Reserved: 2026-05-06T11:31:45.509Z

Link: CVE-2025-71285

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:27.613

Modified: 2026-05-06T13:07:51.607

Link: CVE-2025-71285

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T14:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object