The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71091

CVE-2025-71091: Linux Kernel Privilege Escalation Flaw

CVE-2025-71091 is a privilege escalation vulnerability in the Linux kernel team driver that causes list corruption when port priority changes occur on disabled ports. This article covers technical details, impact, and mitigation.

Updated: January 22, 2026

CVE-2025-71091 Overview

A race condition vulnerability exists in the Linux kernel's team network driver that can lead to list corruption and a kernel panic. The flaw is located in the team_queue_override_port_prio_changed() function within drivers/net/team/team_core.c, where an improper check for port enabled state allows a double-free condition on a linked list entry. This vulnerability was discovered through syzkaller fuzzing and affects systems using the team network driver for link aggregation.

Critical Impact

Exploitation of this vulnerability can cause a kernel BUG (panic) resulting in complete system denial of service, requiring a hard reboot to recover.

Affected Products

  • Linux kernel with team network driver enabled
  • Systems using link aggregation via the team driver
  • Affected kernel versions prior to the security patches

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-71091 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-71091

Vulnerability Analysis

This vulnerability arises from a logic flaw in the team network driver's queue override handling. The team driver provides network link aggregation functionality in Linux, managing multiple physical ports as a single logical interface. The vulnerable code path involves the port priority change handler, which incorrectly assumes that a port with a non-zero queue_id is still present in the queue management list.

The root issue manifests when the following sequence occurs:

  1. A port is enabled with a non-zero queue_id, placing it in the qom_list (queue override management list)
  2. The port gets disabled via team_port_disable(), which calls team_queue_override_port_del() to remove it from the list
  3. The port is now disabled with queue_id != 0, but is not in any list
  4. A priority change triggers team_queue_override_port_prio_changed(), which checks if the port is disabled AND has a non-zero queue_id
  5. The function erroneously attempts to delete the port from the list again, triggering a double-free on the RCU-protected list entry

The kernel's debug list checking code detects the corruption when list_del_rcu() is called on an already-freed list entry, where the prev pointer contains LIST_POISON2 (0xdead000000000122), indicating prior deletion.

Root Cause

The root cause is an incorrect conditional check in team_queue_override_port_prio_changed(). The function checks whether the port is disabled AND has a non-zero queue_id, but this condition is insufficient to determine whether the port is actually present in the queue management list. A disabled port may have already been removed from the list, making the subsequent list deletion operation invalid and triggering a kernel BUG.

Attack Vector

An attacker with local access and the ability to manipulate network interfaces can trigger this vulnerability through the netlink interface. The attack involves:

  1. Creating a team interface and adding ports with specific queue configurations
  2. Disabling a port while it has a non-zero queue_id
  3. Changing the priority of the disabled port via the team_nl_options_set_doit() netlink handler
  4. This triggers the invalid list deletion, causing a kernel panic

The vulnerability is exploitable through the generic netlink interface (genl_rcv_msg) which handles team driver configuration options. While this typically requires elevated privileges or specific capabilities (e.g., CAP_NET_ADMIN), the impact is a complete system denial of service.

Detection Methods for CVE-2025-71091

Indicators of Compromise

  • Kernel panic messages containing "list_del corruption" with LIST_POISON2 addresses
  • Crash traces referencing __team_queue_override_port_del in drivers/net/team/team_core.c
  • System hangs or unexpected reboots on systems using team network driver
  • Kernel oops with RIP pointing to __list_del_entry_valid_or_report in lib/list_debug.c

Detection Strategies

  • Monitor kernel logs for list corruption warnings using dmesg or syslog with patterns matching "list_del corruption" and "team"
  • Deploy kernel crash dump analysis tools (kdump/crash) to capture and analyze kernel panics
  • Use SentinelOne's kernel-level visibility to detect anomalous netlink operations targeting the team driver
  • Implement auditd rules to log team interface configuration changes via netlink

Monitoring Recommendations

  • Enable kernel debugging options like CONFIG_DEBUG_LIST to get early detection of list corruption
  • Configure kdump to capture kernel crash dumps for post-mortem analysis
  • Monitor for rapid team interface configuration changes that could indicate exploitation attempts
  • Use SentinelOne Singularity platform for real-time kernel-level threat detection and alerting

How to Mitigate CVE-2025-71091

Immediate Actions Required

  • Apply the latest kernel security patches from your Linux distribution vendor
  • If patches are not immediately available, consider disabling or removing the team network driver module if not required
  • Restrict access to network configuration capabilities (CAP_NET_ADMIN) to trusted users only
  • Monitor systems using team driver link aggregation for stability issues

Patch Information

The fix modifies the check in team_queue_override_port_prio_changed() to return early if the port is not enabled, preventing the double-free condition. Multiple kernel stable tree patches are available:

  • Kernel commit 107d245f84cb
  • Kernel commit 53a727a8bfd7
  • Kernel commit 6bfb62b6010a
  • Kernel commit 932ac51d9953
  • Kernel commit b71187648ef2

Workarounds

  • Unload the team driver module if not in use: modprobe -r team
  • Blacklist the team module in /etc/modprobe.d/ to prevent automatic loading
  • Switch to alternative bonding solutions (e.g., the bonding driver) if feasible for your environment
  • Implement network namespace isolation to limit exposure of team interfaces
bash
# Temporarily disable team driver module
modprobe -r team team_mode_broadcast team_mode_roundrobin team_mode_activebackup team_mode_loadbalance

# Permanently blacklist team driver (create file /etc/modprobe.d/blacklist-team.conf)
echo "blacklist team" >> /etc/modprobe.d/blacklist-team.conf
echo "blacklist team_mode_broadcast" >> /etc/modprobe.d/blacklist-team.conf
echo "blacklist team_mode_roundrobin" >> /etc/modprobe.d/blacklist-team.conf
echo "blacklist team_mode_activebackup" >> /etc/modprobe.d/blacklist-team.conf
echo "blacklist team_mode_loadbalance" >> /etc/modprobe.d/blacklist-team.conf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Linux Kernel Commit Changes
  • Linux Kernel Commit Changes
  • Linux Kernel Commit Changes
  • Linux Kernel Commit Changes
  • Linux Kernel Commit Changes
  • Related CVEs
  • CVE-2026-31411: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23438: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23439: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23437: Linux Kernel Privilege Escalation Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English