CVE-2025-71099 Overview
CVE-2025-71099 is a use-after-free vulnerability [CWE-416] in the Linux kernel's Intel Xe graphics driver, specifically in the observation architecture (OA) subsystem. The flaw resides in the xe_oa_add_config_ioctl() function, which accesses the oa_config->id field after releasing the metrics_lock mutex that protects the configuration object's lifetime. A local attacker with low privileges can race the ioctl call with xe_oa_remove_config_ioctl() to free the configuration object before it is dereferenced. The vulnerability affects Linux kernel 6.11 and several 6.19 release candidates.
Critical Impact
Local attackers with low privileges can trigger a use-after-free in the Linux kernel, potentially leading to privilege escalation, kernel memory corruption, or denial of service on systems using Intel Xe graphics.
Affected Products
- Linux kernel 6.11
- Linux kernel 6.19-rc1 through 6.19-rc8
- Systems using the Intel Xe DRM driver with OA (Observation Architecture) support
Discovery Timeline
- 2026-01-13 - CVE-2025-71099 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2025-71099
Vulnerability Analysis
The vulnerability lives in the Intel Xe Direct Rendering Manager (DRM) driver's performance counter observation code. The xe_oa_add_config_ioctl() function creates a new OA configuration object and assigns it a unique identifier under the protection of metrics_lock. After registering the configuration, the function releases the mutex and then dereferences oa_config->id to return the identifier to userspace.
This dereference occurs outside the critical section that guarantees oa_config remains valid. The fix caches the identifier in a local variable while the lock is still held, eliminating the post-unlock dereference. The patch was cherry-picked from upstream commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31.
Root Cause
The root cause is improper synchronization between two ioctl handlers that share the same configuration object. The metrics_lock mutex governs the lifetime of oa_config structures, but xe_oa_add_config_ioctl() accesses fields of the structure after releasing the lock. This violates the lock's invariant and creates a narrow window in which a concurrent xe_oa_remove_config_ioctl() call can free the object.
Attack Vector
Exploitation requires local access and the ability to invoke ioctls against the Xe DRM device node. An attacker opens the device, calls xe_oa_add_config_ioctl() to register a configuration, and then predicts or enumerates the newly assigned id. A second thread races to call xe_oa_remove_config_ioctl() with that id during the brief window after metrics_lock is dropped but before oa_config->id is read. Successful timing frees the object, allowing the add-side dereference to operate on reclaimed memory. Reliable exploitation typically requires heap-spray techniques to place attacker-controlled data into the freed allocation.
No verified public proof-of-concept code is available. Refer to the upstream kernel commits referenced in the advisories for the precise code path.
Detection Methods for CVE-2025-71099
Indicators of Compromise
- Unexpected kernel oops or general protection faults referencing xe_oa_add_config_ioctl or xe_oa_remove_config_ioctl in dmesg or /var/log/kern.log
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free reads in the drm/xe/oa subsystem
- Unprivileged processes repeatedly opening /dev/dri/renderD* and issuing OA configuration ioctls in tight loops
Detection Strategies
- Enable KASAN on test and staging kernels to surface the use-after-free at runtime before production deployment
- Audit kernel ring buffer logs for crashes containing xe_oa symbols, which indicate either exploitation attempts or latent driver bugs
- Monitor for processes performing high-frequency DRM ioctl sequences against the Xe driver from non-graphical workloads
Monitoring Recommendations
- Forward kernel logs to a centralized analytics platform and alert on oops or panic entries mentioning xe_oa
- Track auditd EXECVE and IOCTL records for unusual access patterns to /dev/dri/* device nodes by unprivileged users
- Correlate kernel crash telemetry across fleet hosts to identify systematic exploitation attempts versus isolated hardware faults
How to Mitigate CVE-2025-71099
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the vendor advisories as soon as your distribution publishes updated packages
- Inventory hosts running Intel Xe graphics hardware on kernels 6.11 and 6.19-rc series to prioritize patching
- Restrict access to /dev/dri/renderD* device nodes to trusted users via group membership and udev rules
Patch Information
The fix is available in the upstream stable tree via three commits: Kernel Git Commit 7cdb9a9d, Kernel Git Commit c6d30b65, and Kernel Git Commit dcb17193. Apply the corresponding distribution kernel update once available, then reboot to load the patched kernel.
Workarounds
- Blacklist the xe kernel module on systems that do not require Intel Xe graphics support by adding blacklist xe to /etc/modprobe.d/
- Tighten permissions on DRM render nodes so only authenticated graphical sessions can issue ioctls
- Disable the OA subsystem at runtime where feasible to prevent unprivileged invocation of the vulnerable ioctl path
# Restrict DRM render node access to the video group
sudo chgrp video /dev/dri/renderD128
sudo chmod 660 /dev/dri/renderD128
# Optional: blacklist the xe driver if not needed
echo 'blacklist xe' | sudo tee /etc/modprobe.d/blacklist-xe.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
