CVE-2025-71091: Linux Kernel Privilege Escalation Flaw

CVE-2025-71091 Overview

CVE-2025-71091 is a use-after-free vulnerability in the Linux kernel's team network driver. The flaw resides in team_queue_override_port_prio_changed() within drivers/net/team/team_core.c. The function fails to verify that a port is enabled before attempting to remove it from the queue override mapping (qom_list). When a disabled port with a non-zero queue_id undergoes a priority change, the kernel calls __team_queue_override_port_del() on a port already removed from the list, triggering list corruption and a kernel BUG at lib/list_debug.c:59.

Critical Impact

Local attackers with low privileges can trigger kernel memory corruption through netlink socket operations, leading to denial of service or potential privilege escalation on systems using the team driver.

Affected Products

• Linux kernel versions prior to the patched commits (regression introduced via team driver queue override logic)
• Linux kernel 6.19 release candidates rc1 through rc8
• Linux kernel 3.11 and subsequent stable branches utilizing the team network driver

Discovery Timeline

• 2026-01-13 - CVE-2025-71091 published to NVD
• 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71091

Vulnerability Analysis

The vulnerability exists in the Linux kernel's team driver, which provides Ethernet link aggregation similar to bonding. A syzkaller fuzzing run produced a reproducible crash showing list_del corruption where the previous pointer equals LIST_POISON2 (dead000000000122). This poison value confirms the list entry was previously deleted, indicating a double-removal condition.

The call chain reaches __team_queue_override_port_del() via team_priority_option_set() after team_nl_options_set_doit() processes a netlink message. Since the port was already removed from qom_list during a prior disable operation, calling list_del_rcu again corrupts kernel list structures and triggers the BUG handler.

Root Cause

The defect is an incorrect state check in team_queue_override_port_prio_changed(). The original logic checked whether the port was disabled and had a non-zero queue_id before calling the deletion path. However, a disabled port has already been removed from qom_list by team_port_disable(). The corrected logic returns early when the port is not enabled, preventing the duplicate list_del operation.

Attack Vector

Exploitation requires local access with the ability to send netlink messages to the team driver. An attacker disables a team port with queue_id != 0, then issues a priority change through the netlink generic family interface. The kernel reaches the vulnerable code path and dereferences a poisoned list entry. The flaw is reachable through the standard sendmsg() syscall on a netlink socket, as demonstrated by the syzkaller trace targeting team_nl_options_set_doit.

The vulnerability mechanism is described in the upstream commit messages referenced in the kernel.org stable tree. No public proof-of-concept beyond the syzkaller reproducer has been released.

Detection Methods for CVE-2025-71091

Indicators of Compromise

• Kernel log entries containing list_del corruption referencing LIST_POISON2 (dead000000000122)
• kernel BUG at lib/list_debug.c:59 panic messages following netlink activity on team interfaces
• Unexpected kernel oops with __list_del_entry_valid_or_report in the stack trace alongside team_queue_override_port_prio_changed

Detection Strategies

• Monitor dmesg and /var/log/kern.log for list corruption signatures involving the team driver call chain
• Audit unprivileged processes invoking sendmsg() against AF_NETLINK sockets bound to the generic netlink team family
• Correlate process crashes that occur immediately after team port configuration changes through teamd or iproute2 tooling

Monitoring Recommendations

• Enable kernel auditing for netlink operations targeting the team genl family and forward events to a centralized log store
• Track host-level kernel panics and oops events as high-priority telemetry, particularly on systems where team aggregation is configured
• Inventory hosts running affected kernel versions and flag any with non-root processes capable of CAP_NET_ADMIN use

How to Mitigate CVE-2025-71091

Immediate Actions Required

• Apply the upstream kernel patches from the git.kernel.org stable tree referenced in the vendor advisory commits
• Identify systems using the team driver (lsmod | grep team) and prioritize them for patching
• Restrict CAP_NET_ADMIN to trusted administrative accounts only to limit who can reach the vulnerable netlink path

Patch Information

The fix modifies team_queue_override_port_prio_changed() to return early when the port is not enabled, preventing the double list_del condition. Patched commits are available in the stable Linux kernel tree:

• Stable commit 107d245f84cb
• Stable commit 25029e813c4a
• Stable commit 53a727a8bfd7
• Stable commit 6bfb62b6010a
• Stable commit 932ac51d9953
• Stable commit b71187648ef2
• Stable commit f820e438b8ec

Workarounds

• Blacklist the team kernel module on hosts that do not require link aggregation via team
• Use the bonding driver as an alternative aggregation mechanism where feasible until patches are deployed
• Constrain user namespace creation and CAP_NET_ADMIN delegation to reduce the attack surface for local unprivileged callers

# Blacklist the team module to prevent loading on unpatched hosts
echo 'blacklist team' | sudo tee /etc/modprobe.d/disable-team.conf
sudo rmmod team_mode_loadbalance team_mode_activebackup team 2>/dev/null
sudo update-initramfs -u