CVE-2025-71291 - Vulnerability Details

- misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()

Description

In the Linux kernel, the following vulnerability has been resolved:

misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()

In the function bcm_vk_read(), the pointer entry is checked, indicating
that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the
following code may cause null-pointer dereferences:

struct vk_msg_blk tmp_msg = entry->to_h_msg[0];
set_msg_id(&tmp_msg, entry->usr_msg_id);
tmp_msg.size = entry->to_h_blks - 1;

To prevent these possible null-pointer dereferences, copy to_h_msg,
usr_msg_id, and to_h_blks from iter into temporary variables, and return
these temporary variables to the application instead of accessing them
through a potentially NULL entry.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a possible null-pointer dereference inside the bcm_vk kernel driver during the bcm_vk_read() operation. When an entry pointer is NULL and the return code is set to -EMSGSIZE, the code attempts to read fields from the null entry, causing a kernel fault. This fault results in a kernel panic and system crash, effectively denying service to all users on the host. The weakness corresponds to a classic null-pointer dereference (CWE-476).

Affected Systems

Linux kernel installations that include the bcm_vk driver. No specific kernel version range is listed, so all kernels shipping this driver before the patch are potentially affected.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable, indicating no publicly known exploitation trend at the time of analysis. The vulnerability is likely exploitable by local users who can invoke bcm_vk_read() (for example, by accessing the /dev/bcm_vk device or using an application that drives it). While local exploitation does not provide remote code execution, it can be used to disrupt availability. The absence of a KEV listing further suggests there are no known active exploits in the wild. Nonetheless, patching remains the recommended action to eliminate the crash vector.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 741c5a3a0cd893a4218fc0fc8c18403e54fcfb22
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ece3722169ba93734bfd1f06255e8ab7f19fe964
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 3842f93e6e29d5cc1dcb9e5bda70587b444bed69
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ba75ecb97d3f4e95d59002c13afb6519205be6cb

Linux

affected

Version	Status	Constraints
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,741c5a3a0cd893a4218fc0fc8c18403e54fcfb22)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ece3722169ba93734bfd1f06255e8ab7f19fe964)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3842f93e6e29d5cc1dcb9e5bda70587b444bed69)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ba75ecb97d3f4e95d59002c13afb6519205be6cb)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that includes the bcm_vk_read null-pointer dereference fix.
Restrict access to the bcm_vk device so that only privileged users may open /dev/bcm_vk, mitigating the local exploitation surface.
If a kernel upgrade is not immediately possible, disable or unload the bcm_vk module to remove the vulnerable code from the kernel image.

Generated by OpenCVE AI on May 6, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd
https://git.kernel.org/stable/c/3842f93e6e29d5cc1dcb9e5bda70587b444bed69
https://git.kernel.org/stable/c/741c5a3a0cd893a4218fc0fc8c18403e54fcfb22
https://git.kernel.org/stable/c/aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb
https://git.kernel.org/stable/c/ba75ecb97d3f4e95d59002c13afb6519205be6cb
https://git.kernel.org/stable/c/ece3722169ba93734bfd1f06255e8ab7f19fe964

History

Wed, 06 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1; To prevent these possible null-pointer dereferences, copy to_h_msg, usr_msg_id, and to_h_blks from iter into temporary variables, and return these temporary variables to the application instead of accessing them through a potentially NULL entry.
Title		misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd https://git.kernel.org/stable/c/3842f93e6e29d5cc1dcb9e5bda70587b444bed69 https://git.kernel.org/stable/c/741c5a3a0cd893a4218fc0fc8c18403e54fcfb22 https://git.kernel.org/stable/c/aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb https://git.kernel.org/stable/c/ba75ecb97d3f4e95d59002c13afb6519205be6cb https://git.kernel.org/stable/c/ece3722169ba93734bfd1f06255e8ab7f19fe964

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:32:23.223Z

Updated: 2026-05-06T11:32:23.223Z

Reserved: 2026-05-06T11:31:45.509Z

Link: CVE-2025-71291

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:28.330

Modified: 2026-05-06T13:07:51.607

Link: CVE-2025-71291

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T14:15:05Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object