{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-71092","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:30:19.650Z","datePublished":"2026-01-13T15:34:53.110Z","dateUpdated":"2026-05-11T21:54:35.542Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:54:35.542Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()\n\nCommit ef56081d1864 (\"RDMA/bnxt_re: RoCE related hardware counters\nupdate\") added three new counters and placed them after\nBNXT_RE_OUT_OF_SEQ_ERR.\n\nBNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware\nstatistics with different num_counters values on chip_gen_p5_p7 devices.\n\nAs a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating\nhw_stats, which leads to an out-of-bounds write in\nbnxt_re_copy_err_stats().\n\nThe counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and\nBNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not\nonly p5/p7 devices.\n\nFix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they\nare included in the generic counter set."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/hw/bnxt_re/hw_counters.h"],"versions":[{"version":"ef56081d1864582a6db50710733416c0510b7826","lessThan":"369a161c48723f60f06f3510b82ea7d96d0499ab","status":"affected","versionType":"git"},{"version":"ef56081d1864582a6db50710733416c0510b7826","lessThan":"9b68a1cc966bc947d00e4c0df7722d118125aa37","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/hw/bnxt_re/hw_counters.h"],"versions":[{"version":"6.18","status":"affected"},{"version":"0","lessThan":"6.18","status":"unaffected","versionType":"semver"},{"version":"6.18.4","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.18.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/369a161c48723f60f06f3510b82ea7d96d0499ab"},{"url":"https://git.kernel.org/stable/c/9b68a1cc966bc947d00e4c0df7722d118125aa37"}],"title":"RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()","x_generator":{"engine":"bippy-1.2.0"}}}}