CVE-2025-71099 Overview
A use-after-free vulnerability has been identified in the Linux kernel's DRM/XE OA (Observation Architecture) subsystem. The flaw exists in the xe_oa_add_config_ioctl() function, where the oa_config->id field is accessed after releasing the metrics_lock mutex. Since this lock protects the lifetime of the oa_config object, a race condition can occur where an attacker with knowledge of the configuration ID can call xe_oa_remove_config_ioctl() with precise timing to free the oa_config structure before it is dereferenced, resulting in a use-after-free condition.
Critical Impact
This use-after-free vulnerability in the Linux kernel's DRM/XE OA subsystem could potentially allow local attackers to cause system instability or escalate privileges through carefully timed race condition exploitation.
Affected Products
- Linux Kernel (DRM/XE OA subsystem)
- Systems utilizing Intel Xe graphics drivers with OA functionality
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71099 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71099
Vulnerability Analysis
This vulnerability is a classic time-of-check time-of-use (TOCTOU) race condition that manifests as a use-after-free. The xe_oa_add_config_ioctl() function is responsible for adding OA configuration entries, and it properly acquires the metrics_lock mutex to protect shared data structures during the configuration process. However, after releasing the lock, the function continues to access the oa_config->id field.
The fundamental issue is that once the metrics_lock is dropped, there is no guarantee that the oa_config structure remains valid. An attacker who can predict or guess the configuration ID can race to call xe_oa_remove_config_ioctl() in the window between when the lock is released and when oa_config->id is dereferenced. If the removal succeeds before the dereference, the code will access freed memory.
Root Cause
The root cause is improper lock scope management in xe_oa_add_config_ioctl(). The metrics_lock mutex is designed to protect the oa_config object's lifetime, but the function accesses oa_config->id outside of the critical section protected by this lock. This violates the locking discipline and creates a window of vulnerability where the object can be freed by another thread while still being accessed.
Attack Vector
The attack requires local access to the system with the ability to invoke ioctl calls on the DRM/XE device. An attacker would need to:
- Monitor or predict OA configuration IDs being created
- Trigger the xe_oa_add_config_ioctl() function to add a new configuration
- Race to call xe_oa_remove_config_ioctl() with the target ID during the narrow window after metrics_lock is released but before oa_config->id is accessed
The fix involves caching the id value in a local variable while still holding the metrics_lock, ensuring that the ID access occurs within the protected critical section. This eliminates the race condition by guaranteeing the oa_config structure cannot be freed before the ID is safely copied.
Detection Methods for CVE-2025-71099
Indicators of Compromise
- Unexpected kernel crashes or panics related to DRM/XE subsystem
- Memory corruption errors in system logs referencing xe_oa functions
- Unusual ioctl activity targeting DRM devices with rapid add/remove config patterns
- Kernel KASAN (Kernel Address Sanitizer) reports indicating use-after-free in xe_oa_add_config_ioctl
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) to detect use-after-free memory access violations
- Monitor system logs for kernel oops or panics originating from DRM/XE OA code paths
- Deploy behavioral monitoring for suspicious ioctl call patterns on DRM devices
- Utilize SentinelOne's kernel-level threat detection to identify exploitation attempts
Monitoring Recommendations
- Enable kernel debugging options and memory debugging tools in development environments
- Implement audit logging for ioctl system calls targeting graphics devices
- Monitor for processes repeatedly calling OA configuration add/remove operations in rapid succession
How to Mitigate CVE-2025-71099
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- If updates cannot be applied immediately, restrict access to DRM/XE devices to trusted users only
- Monitor systems for signs of exploitation attempts targeting the DRM/XE subsystem
- Consider disabling XE OA functionality if not required for operations
Patch Information
The vulnerability has been resolved in the upstream Linux kernel. The fix caches the oa_config->id value in a local variable while the metrics_lock is held, ensuring safe access without race conditions. The patch has been cherry-picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31.
Patches are available from the following kernel git commits:
Workarounds
- Restrict access to DRM device nodes (/dev/dri/*) to privileged users only
- Apply mandatory access control policies (SELinux, AppArmor) to limit which processes can interact with graphics devices
- Disable XE OA functionality in kernel configuration if not required (CONFIG_DRM_XE_OA=n)
# Restrict DRM device access as temporary mitigation
chmod 600 /dev/dri/renderD*
chown root:root /dev/dri/renderD*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
