CVE-2025-71066 Overview
CVE-2025-71066 is a Use-After-Free vulnerability in the Linux kernel's network traffic scheduler (net/sched) subsystem, specifically within the Enhanced Transmission Selection (ETS) qdisc implementation. The vulnerability arises from a race condition between the ets_qdisc_dequeue and ets_qdisc_change functions, which can lead to a Use-After-Free condition on a struct Qdisc object. Successful exploitation could allow an attacker with the capability to create new user and network namespaces to achieve arbitrary code execution with kernel privileges.
Critical Impact
Exploitation of this race condition vulnerability can allow local attackers to achieve kernel-level code execution through a Use-After-Free condition, potentially leading to complete system compromise.
Affected Products
- Linux kernel (versions with vulnerable ETS qdisc implementation)
- Systems with network namespace capabilities enabled
- Distributions using affected Linux kernel builds
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71066 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71066
Vulnerability Analysis
The vulnerability exists in the ets_qdisc_change function within the Linux kernel's ETS (Enhanced Transmission Selection) traffic control subsystem. ETS is a network scheduler that allows prioritization of traffic classes. The root issue is a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs when modifying qdisc configurations while dequeue operations are in progress.
When the ets_qdisc_change function reduces the number of bands, it follows a sequence that creates a dangerous window: classes are added to the active list while holding the sch_tree_lock, but after the lock is released, the function continues to free qdisc objects for removed classes. If ets_qdisc_dequeue is called during this window, it may attempt to access a qdisc object that has already been freed via qdisc_put, resulting in a Use-After-Free condition.
The vulnerability is particularly dangerous because the attacker can control the instruction pointer (RIP) through the freed object, enabling arbitrary code execution in kernel context.
Root Cause
The root cause is improper synchronization in the ets_qdisc_change function. While the function correctly uses sch_tree_lock to protect modifications to the class list and active list, it releases this lock before completing the cleanup of removed classes. Specifically, the function removes classes from the active list and then unlocks before calling qdisc_put to free the associated qdisc objects. This creates a race window where classes remain in the active list with references to freed qdisc objects.
The fix ensures that classes are always removed from the active list before their associated qdisc is deleted and freed, eliminating the race window.
Attack Vector
The attack requires local access and the capability to create new user and network namespaces, which is commonly available on modern Linux systems with unprivileged user namespace creation enabled. The attacker sets up a network configuration with ETS qdisc and multiple bands, then triggers a race condition by:
- Generating network traffic to keep the qdisc dequeue path active (e.g., using flood ping)
- Rapidly changing the ETS qdisc configuration to reduce the number of bands
- Timing the ets_qdisc_change operation to hit the vulnerable window between qdisc deallocation and NULL assignment
The reproducer script provided in the vulnerability disclosure demonstrates this attack by configuring an ETS qdisc with two strict bands, adding a traffic shaping filter, generating flood traffic, and then rapidly changing the qdisc configuration to trigger the race.
Detection Methods for CVE-2025-71066
Indicators of Compromise
- Kernel panic or OOPS messages referencing ets_qdisc_dequeue or ets_qdisc_change functions
- Unexpected system crashes when network qdisc configurations are modified under load
- KASAN (Kernel Address Sanitizer) reports indicating Use-After-Free in net/sched/sch_ets.c
- Suspicious tc qdisc commands rapidly modifying ETS configurations
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on development and test systems to detect Use-After-Free conditions
- Monitor for unusual patterns of tc qdisc change commands, especially those modifying ETS band configurations
- Deploy audit rules for network namespace creation combined with qdisc modifications
- Implement syslog monitoring for kernel warnings related to net/sched subsystem
Monitoring Recommendations
- Configure kernel logging to capture WARN and BUG messages from the net/sched subsystem
- Monitor for processes creating new network namespaces, especially from unprivileged users
- Track tc (traffic control) command usage for unusual configuration change patterns
- Review system stability logs for unexplained kernel crashes that may indicate exploitation attempts
How to Mitigate CVE-2025-71066
Immediate Actions Required
- Apply the kernel patches from the stable kernel trees immediately
- Consider disabling unprivileged user namespace creation via sysctl kernel.unprivileged_userns_clone=0 if not required
- Restrict access to traffic control utilities (tc) to trusted administrators
- Monitor systems for signs of exploitation attempts while awaiting patch deployment
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that classes are always removed from the active list before deleting and freeing their associated qdisc objects. Multiple patches have been committed to the stable kernel trees:
- Kernel Git Commit 06bfb66
- Kernel Git Commit 4546614
- Kernel Git Commit 9987cda
- Kernel Git Commit a75d617
- Kernel Git Commit ce052b9
Organizations should update to patched kernel versions as soon as possible through their distribution's package management system.
Workarounds
- Disable unprivileged user namespace creation: sysctl -w kernel.unprivileged_userns_clone=0
- Restrict CAP_NET_ADMIN capability to trusted users only
- Limit access to the tc (traffic control) command through filesystem permissions or security policies
- Consider using network namespace restrictions via seccomp or AppArmor/SELinux policies
# Disable unprivileged user namespace creation
echo 0 > /proc/sys/kernel/unprivileged_userns_clone
# Or make persistent via sysctl configuration
echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.d/99-security.conf
sysctl -p /etc/sysctl.d/99-security.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

