Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71066

CVE-2025-71066: Linux Kernel Race Condition Vulnerability

CVE-2025-71066 is a race condition vulnerability in the Linux kernel's net/sched ets module that can lead to use-after-free. This article covers the technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-71066 Overview

CVE-2025-71066 is a Use-After-Free vulnerability in the Linux kernel's network traffic scheduler (net/sched) subsystem, specifically within the Enhanced Transmission Selection (ETS) qdisc implementation. The vulnerability arises from a race condition between the ets_qdisc_dequeue and ets_qdisc_change functions, which can lead to a Use-After-Free condition on a struct Qdisc object. Successful exploitation could allow an attacker with the capability to create new user and network namespaces to achieve arbitrary code execution with kernel privileges.

Critical Impact

Exploitation of this race condition vulnerability can allow local attackers to achieve kernel-level code execution through a Use-After-Free condition, potentially leading to complete system compromise.

Affected Products

  • Linux kernel (versions with vulnerable ETS qdisc implementation)
  • Systems with network namespace capabilities enabled
  • Distributions using affected Linux kernel builds

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-71066 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-71066

Vulnerability Analysis

The vulnerability exists in the ets_qdisc_change function within the Linux kernel's ETS (Enhanced Transmission Selection) traffic control subsystem. ETS is a network scheduler that allows prioritization of traffic classes. The root issue is a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs when modifying qdisc configurations while dequeue operations are in progress.

When the ets_qdisc_change function reduces the number of bands, it follows a sequence that creates a dangerous window: classes are added to the active list while holding the sch_tree_lock, but after the lock is released, the function continues to free qdisc objects for removed classes. If ets_qdisc_dequeue is called during this window, it may attempt to access a qdisc object that has already been freed via qdisc_put, resulting in a Use-After-Free condition.

The vulnerability is particularly dangerous because the attacker can control the instruction pointer (RIP) through the freed object, enabling arbitrary code execution in kernel context.

Root Cause

The root cause is improper synchronization in the ets_qdisc_change function. While the function correctly uses sch_tree_lock to protect modifications to the class list and active list, it releases this lock before completing the cleanup of removed classes. Specifically, the function removes classes from the active list and then unlocks before calling qdisc_put to free the associated qdisc objects. This creates a race window where classes remain in the active list with references to freed qdisc objects.

The fix ensures that classes are always removed from the active list before their associated qdisc is deleted and freed, eliminating the race window.

Attack Vector

The attack requires local access and the capability to create new user and network namespaces, which is commonly available on modern Linux systems with unprivileged user namespace creation enabled. The attacker sets up a network configuration with ETS qdisc and multiple bands, then triggers a race condition by:

  1. Generating network traffic to keep the qdisc dequeue path active (e.g., using flood ping)
  2. Rapidly changing the ETS qdisc configuration to reduce the number of bands
  3. Timing the ets_qdisc_change operation to hit the vulnerable window between qdisc deallocation and NULL assignment

The reproducer script provided in the vulnerability disclosure demonstrates this attack by configuring an ETS qdisc with two strict bands, adding a traffic shaping filter, generating flood traffic, and then rapidly changing the qdisc configuration to trigger the race.

Detection Methods for CVE-2025-71066

Indicators of Compromise

  • Kernel panic or OOPS messages referencing ets_qdisc_dequeue or ets_qdisc_change functions
  • Unexpected system crashes when network qdisc configurations are modified under load
  • KASAN (Kernel Address Sanitizer) reports indicating Use-After-Free in net/sched/sch_ets.c
  • Suspicious tc qdisc commands rapidly modifying ETS configurations

Detection Strategies

  • Enable KASAN (Kernel Address Sanitizer) on development and test systems to detect Use-After-Free conditions
  • Monitor for unusual patterns of tc qdisc change commands, especially those modifying ETS band configurations
  • Deploy audit rules for network namespace creation combined with qdisc modifications
  • Implement syslog monitoring for kernel warnings related to net/sched subsystem

Monitoring Recommendations

  • Configure kernel logging to capture WARN and BUG messages from the net/sched subsystem
  • Monitor for processes creating new network namespaces, especially from unprivileged users
  • Track tc (traffic control) command usage for unusual configuration change patterns
  • Review system stability logs for unexplained kernel crashes that may indicate exploitation attempts

How to Mitigate CVE-2025-71066

Immediate Actions Required

  • Apply the kernel patches from the stable kernel trees immediately
  • Consider disabling unprivileged user namespace creation via sysctl kernel.unprivileged_userns_clone=0 if not required
  • Restrict access to traffic control utilities (tc) to trusted administrators
  • Monitor systems for signs of exploitation attempts while awaiting patch deployment

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that classes are always removed from the active list before deleting and freeing their associated qdisc objects. Multiple patches have been committed to the stable kernel trees:

Organizations should update to patched kernel versions as soon as possible through their distribution's package management system.

Workarounds

  • Disable unprivileged user namespace creation: sysctl -w kernel.unprivileged_userns_clone=0
  • Restrict CAP_NET_ADMIN capability to trusted users only
  • Limit access to the tc (traffic control) command through filesystem permissions or security policies
  • Consider using network namespace restrictions via seccomp or AppArmor/SELinux policies
bash
# Disable unprivileged user namespace creation
echo 0 > /proc/sys/kernel/unprivileged_userns_clone

# Or make persistent via sysctl configuration
echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.d/99-security.conf
sysctl -p /etc/sysctl.d/99-security.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.