Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71086

CVE-2025-71086: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71086 is a buffer overflow flaw in the Linux Kernel's rose_kill_by_device() function that causes invalid array indexing and pointer dereference. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-71086 Overview

CVE-2025-71086 is a Linux kernel vulnerability in the ROSE (Remote Operations Service Element) amateur radio networking stack. The flaw resides in the rose_kill_by_device() function, which uses an incorrect array index when iterating over collected sockets during device teardown. The bug causes either an uninitialized read or an out-of-bounds read, leading to invalid socket pointer dereference and reference leaks from sock_hold(). The issue affects multiple Linux kernel versions, including 6.7 and several 6.19 release candidates. Local attackers with low privileges can trigger the condition to compromise kernel memory integrity and system availability.

Critical Impact

Local attackers can trigger an invalid socket pointer dereference in the ROSE networking subsystem, leading to potential kernel memory corruption, reference count leaks, and denial of service.

Affected Products

  • Linux Kernel (multiple versions, including 6.7)
  • Linux Kernel 6.19 release candidates (rc1 through rc8)
  • Distributions shipping kernels with the ROSE protocol module enabled

Discovery Timeline

  • 2026-01-13 - CVE-2025-71086 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71086

Vulnerability Analysis

The vulnerability resides in rose_kill_by_device() within the Linux kernel's ROSE protocol implementation. This function handles the disconnection of sockets bound to a network device that is being brought down. The function first collects affected sockets into a local fixed-size array, incrementing a counter cnt for each entry added. It then iterates over the populated entries to perform cleanup operations.

The defect lies in the iteration loop, which references array[cnt] instead of array[i]. When cnt is less than ARRAY_SIZE(array), the loop reads an uninitialized entry beyond the populated range. When cnt equals ARRAY_SIZE(array), the access becomes an out-of-bounds read past the array's allocated bounds. Both conditions yield invalid socket pointers that the kernel subsequently dereferences. The bug is classified under [CWE-129] (Improper Validation of Array Index).

Root Cause

The root cause is a simple but consequential indexing error in the cleanup loop of rose_kill_by_device(). The loop variable i is the correct index into the populated portion of the local array, but the code mistakenly used cnt, which is the total count rather than the iteration position. This breaks the invariant that each iteration operates on a valid, previously stored socket reference taken via sock_hold().

Attack Vector

Exploitation requires local access with low privileges and the ability to interact with the ROSE protocol stack. An attacker triggers device teardown events involving ROSE-bound sockets to invoke the vulnerable code path. The resulting invalid pointer dereference can corrupt kernel state, leak socket references, and destabilize the system. The patch corrects the index from cnt to i, restoring proper iteration. Refer to the upstream fix at Linux Kernel Commit 1418c12 for the exact change.

Detection Methods for CVE-2025-71086

Indicators of Compromise

  • Kernel oops or panic messages referencing rose_kill_by_device in dmesg or /var/log/kern.log
  • Unexpected socket reference count leaks associated with the ROSE protocol module
  • KASAN (Kernel Address Sanitizer) reports flagging out-of-bounds reads in the ROSE subsystem

Detection Strategies

  • Audit loaded kernel modules for the presence of rose.ko on systems where amateur radio networking is not required
  • Monitor kernel logs for crash signatures involving ROSE socket cleanup paths during interface state changes
  • Use kernel runtime instrumentation such as KASAN or KFENCE on test systems to surface the invalid memory access

Monitoring Recommendations

  • Track kernel version inventory against the patched commits listed in the vendor advisories
  • Alert on repeated network interface down events combined with kernel warnings on the same host
  • Correlate socket reference accounting anomalies with system stability events

How to Mitigate CVE-2025-71086

Immediate Actions Required

  • Apply the upstream kernel patches referenced in the vendor advisories as soon as distribution builds are available
  • Unload the rose kernel module on systems that do not require amateur radio networking using modprobe -r rose
  • Blacklist the ROSE module on production systems where it is not operationally required

Patch Information

The Linux kernel maintainers released the fix across multiple stable branches. The corrective change replaces array[cnt] with array[i] in the cleanup loop of rose_kill_by_device(). Apply distribution-provided kernel updates that incorporate the relevant commits, including Linux Kernel Commit 1418c12, Linux Kernel Commit 6595beb4, Linux Kernel Commit 819fb41a, Linux Kernel Commit 92d900aa, Linux Kernel Commit 9f6185a3, Linux Kernel Commit b409ba9e, and Linux Kernel Commit ed263941.

Workarounds

  • Prevent the ROSE module from loading by adding blacklist rose to /etc/modprobe.d/blacklist-rose.conf
  • Restrict access to raw socket creation through user namespace and capability controls to limit local attack surface
  • Apply distribution kernel hardening features such as KASLR and SMAP to raise the cost of exploitation
bash
# Configuration example
echo 'blacklist rose' | sudo tee /etc/modprobe.d/blacklist-rose.conf
sudo modprobe -r rose

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.