CVE-2025-71080 Overview
A race condition vulnerability has been identified in the Linux kernel's IPv6 routing subsystem. The vulnerability exists in the rt6_get_pcpu_route() function when running on PREEMPT_RT (Real-Time) kernels. When the function returns NULL, the current task can be preempted, allowing another task on the same CPU to execute rt6_make_pcpu_route() and install a pcpu_rt entry. When the original task resumes, its cmpxchg() operation fails because rt6i_pcpu is no longer NULL, triggering a BUG_ON(prev) condition.
Critical Impact
This vulnerability can cause kernel crashes via BUG_ON assertions on PREEMPT_RT Linux kernels, leading to denial of service conditions affecting system availability.
Affected Products
- Linux kernel with PREEMPT_RT configuration enabled
- Linux kernel IPv6 networking subsystem
- Systems utilizing per-CPU routing optimizations
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71080 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71080
Vulnerability Analysis
This vulnerability represents a classic race condition scenario specific to real-time preemption kernels. The core issue stems from a timing window between checking a per-CPU route entry and creating a new one. In standard kernel configurations, this race condition is unlikely due to the execution context, but PREEMPT_RT kernels allow preemption at more points, exposing this vulnerability.
The race window occurs in the following sequence: when rt6_get_pcpu_route() returns NULL indicating no per-CPU route exists, the kernel proceeds to allocate and install a new route via rt6_make_pcpu_route(). However, under PREEMPT_RT, another task can be scheduled on the same CPU during this window, complete its own route installation, and modify the rt6i_pcpu pointer. When the first task resumes and attempts its cmpxchg() operation, it unexpectedly fails because the value has changed, hitting the BUG_ON assertion.
The vulnerability is reproducible by artificially widening the race window using mdelay() after rt6_get_pcpu_route().
Root Cause
The root cause is the assumption that rt6i_pcpu cannot change between the NULL check in rt6_get_pcpu_route() and the cmpxchg() in rt6_make_pcpu_route(). This assumption holds in non-PREEMPT_RT kernels where the execution context prevents preemption, but fails under PREEMPT_RT due to its more aggressive preemption model. Using preempt_disable/enable to protect this critical section is not viable because ip6_rt_pcpu_alloc() may sleep, which is incompatible with disabled preemption.
Attack Vector
An attacker with local access to a PREEMPT_RT Linux system could potentially trigger this race condition to cause kernel panics and denial of service. The attack requires:
- A system running a Linux kernel with PREEMPT_RT configuration
- The ability to generate IPv6 traffic that triggers per-CPU route allocation
- Timing conditions that cause multiple tasks to race on route installation
While exploitation requires specific kernel configuration and timing, the vulnerability can lead to system instability and crashes in production real-time environments.
Detection Methods for CVE-2025-71080
Indicators of Compromise
- Kernel panic messages containing BUG_ON assertions in rt6_make_pcpu_route() or related IPv6 routing functions
- System crashes or unexpected reboots on PREEMPT_RT kernels during IPv6 network activity
- Kernel oops logs referencing rt6_get_pcpu_route or rt6i_pcpu in the stack trace
Detection Strategies
- Monitor system logs for kernel BUG or panic messages related to IPv6 routing subsystem components
- Implement kernel crash dump analysis to identify instances of this specific race condition
- Use kernel tracing tools (ftrace, eBPF) to monitor rt6_get_pcpu_route() and rt6_make_pcpu_route() execution patterns on PREEMPT_RT systems
Monitoring Recommendations
- Configure kdump or crash collection tools to capture kernel crash information for post-incident analysis
- Enable kernel address sanitizer (KASAN) and kernel concurrency sanitizer (KCSAN) in development environments to detect race conditions
- Monitor for unusual patterns in IPv6 routing behavior or unexpected per-CPU route allocation failures
How to Mitigate CVE-2025-71080
Immediate Actions Required
- Update affected Linux kernels to versions containing the fix (commits 1adaea5, 1dc33ad, or 787515c)
- If immediate patching is not possible, consider temporarily disabling PREEMPT_RT configuration on affected systems if real-time requirements permit
- Monitor production systems for kernel crashes related to IPv6 routing
Patch Information
The fix has been committed to the Linux kernel stable branches. The patch modifies the behavior to gracefully handle cmpxchg() failures on PREEMPT_RT kernels by freeing the local allocation and returning the existing pcpu_rt installed by another task. For non-PREEMPT_RT kernels, the BUG_ON is replaced with WARN_ON_ONCE to avoid crashes while still alerting to unexpected races.
Patches are available from:
Workarounds
- Disable PREEMPT_RT kernel configuration temporarily if the real-time preemption feature is not critical for your workload
- Reduce IPv6 routing activity on affected systems until patches can be applied
- Consider using IPv4-only networking temporarily on critical PREEMPT_RT systems pending kernel updates
# Check if your kernel has PREEMPT_RT enabled
uname -a | grep -i rt
cat /proc/version | grep -i preempt
# Check kernel configuration (if available)
zcat /proc/config.gz 2>/dev/null | grep PREEMPT_RT || \
cat /boot/config-$(uname -r) 2>/dev/null | grep PREEMPT_RT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
