CVE-2025-71110 Overview
CVE-2025-71110 is a use-after-free vulnerability in the Linux kernel's SLUB memory allocator. The flaw occurs in the defer_free() function when CONFIG_SLUB_TINY is enabled on ARM64 systems utilizing Memory Tagging Extension (MTE). When freeing memory, a race condition between KASAN memory poisoning and deferred free list operations causes a memory tag mismatch, leading to improper memory access.
Critical Impact
This vulnerability can trigger KASAN use-after-free reports and potentially impact system stability on ARM64 systems with MTE enabled, affecting memory allocator integrity.
Affected Products
- Linux kernel with CONFIG_SLUB_TINY enabled
- ARM64 systems with Memory Tagging Extension (MTE)
- Systems using KASAN (Kernel Address Sanitizer) for memory debugging
Discovery Timeline
- 2026-01-14 - CVE-2025-71110 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-71110
Vulnerability Analysis
The vulnerability resides in the Linux kernel's SLUB (Simplified List-Based Allocator Unified) memory allocator, specifically in the defer_free() function located at mm/slub.c:6537. When the kernel is compiled with CONFIG_SLUB_TINY enabled, the kfree_nolock() function calls kasan_slab_free() before defer_free().
On ARM64 systems with MTE enabled, kasan_slab_free() poisons the freed memory by changing the memory tag from its original value (e.g., 0xf3) to a poison tag (0xfe). However, when defer_free() subsequently attempts to write to the freed object to build the deferred free list via llist_add(), the pointer still carries the old memory tag. This creates a tag mismatch between the pointer tag and the actual memory tag, triggering a KASAN use-after-free detection.
The bug manifests in kernel worker threads attempting memory deallocation operations, as evidenced by the reported stack trace showing the write occurring at address f3f000000854f020 with pointer tag [f3] but memory tag [fe].
Root Cause
The root cause is a missing kasan_reset_tag() call in the defer_free() function. The function performs legitimate allocator bookkeeping operations on freed memory, but fails to reset the KASAN tag before accessing the memory. This creates a false positive use-after-free detection because the allocator legitimately needs to manipulate freed memory for internal linked list operations.
Attack Vector
The vulnerability is triggered through normal kernel memory allocation and deallocation operations on affected configurations. While the primary impact appears to be system stability and false KASAN reports rather than a directly exploitable security flaw, the underlying memory management issue could potentially lead to:
- Kernel panic or system instability when KASAN is enabled
- Interference with memory debugging and security monitoring
- Potential memory corruption in edge cases where the tag mismatch affects actual memory operations
The vulnerability requires specific kernel configuration (CONFIG_SLUB_TINY) and hardware features (ARM64 with MTE), limiting the attack surface to embedded or specialized Linux deployments using these features.
Detection Methods for CVE-2025-71110
Indicators of Compromise
- Monitor kernel logs for KASAN reports containing slab-use-after-free in defer_free messages
- Look for stack traces referencing mm/slub.c:6537 or the defer_free() function
- Check for kernel worker thread crashes or panics related to memory operations on ARM64 MTE systems
Detection Strategies
- Enable kernel log monitoring for KASAN use-after-free bug reports specifically mentioning defer_free
- Implement automated scanning for pointer tag and memory tag mismatches in kernel diagnostic output
- Deploy kernel configuration auditing to identify systems running with CONFIG_SLUB_TINY on ARM64 MTE hardware
Monitoring Recommendations
- Configure system logging to capture and alert on kernel KASAN reports
- Implement centralized log aggregation for kernel memory allocator warnings across ARM64 infrastructure
- Monitor for unusual kernel worker thread behavior or unexpected system restarts
How to Mitigate CVE-2025-71110
Immediate Actions Required
- Apply the official kernel patches from the stable kernel tree immediately
- Review kernel configuration for CONFIG_SLUB_TINY usage on ARM64 MTE systems
- Consider temporarily disabling MTE or KASAN if patches cannot be applied immediately and stability issues occur
- Update to patched kernel versions as they become available from your distribution
Patch Information
The Linux kernel developers have released patches to address this vulnerability. The fix involves calling kasan_reset_tag() before accessing freed memory in the defer_free() function, which is safe because this function is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes.
Official patches are available via the kernel git repository:
Workarounds
- Disable CONFIG_SLUB_TINY in kernel configuration and rebuild the kernel if patching is not immediately feasible
- Disable KASAN temporarily on affected systems if the false positive reports are causing operational issues
- Consider using the standard SLUB allocator configuration instead of the TINY variant on ARM64 MTE systems until patched kernels are deployed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
