CVE-2025-71142 Overview
A vulnerability has been identified in the Linux kernel's cpuset subsystem that triggers a warning when disabling remote partitions during CPU hotplug operations. The issue occurs in the remote_partition_disable() function within kernel/cgroup/cpuset.c when CPU resources become unavailable, causing improper handling of partition states and cpuset management.
Critical Impact
This vulnerability can cause kernel warnings and potential system instability when managing CPU partitions during hotplug events, affecting systems using cgroup cpuset configurations for CPU resource isolation.
Affected Products
- Linux kernel (cpuset subsystem)
- Systems using cgroup v2 cpuset partitioning
- Multi-CPU systems with CPU hotplug capabilities
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71142 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-71142
Vulnerability Analysis
The vulnerability exists in the Linux kernel's cpuset partition management code. When a CPU is taken offline via hotplug, the subpartitions_cpus bitmask gets cleared because no CPUs remain available for the top_cpuset. This forces partitions to share CPUs with the top_cpuset. When a remote partition is subsequently disabled, the kernel triggers an erroneous warning at remote_partition_disable+0xf7/0x110 indicating that effective_xcpus is not a subset of subpartitions_cpus.
The core issue stems from improper state validation during partition transitions. The warning occurs because the code does not properly account for the scenario where subpartitions_cpus has been emptied due to CPU hotplug events. This creates a race-like condition between CPU resource availability and partition state management.
Root Cause
The root cause is insufficient validation logic in the remote_partition_disable() function. The warning condition is triggered even when subpartitions_cpus is empty (a valid state after CPU hotplug), which should not be treated as an error condition. Additionally, partitions are not properly invalidated when subpartitions_cpus becomes empty during CPU hotplug operations, leading to inconsistent state information being presented to users.
Attack Vector
The vulnerability can be triggered through the following sequence of operations on a multi-CPU system:
- Create a cgroup hierarchy with cpuset controllers enabled
- Configure exclusive CPU sets for nested cgroups
- Enable root partition mode on a child cpuset
- Offline a CPU that results in subpartitions_cpus being cleared
- Attempt to change the partition back to member mode
This sequence triggers the kernel warning, potentially affecting system stability and administrator confidence in resource management operations. While this is primarily a local privilege issue requiring administrative access to cgroup filesystem operations and CPU hotplug controls, it can impact systems relying on dynamic CPU resource management.
Detection Methods for CVE-2025-71142
Indicators of Compromise
- Kernel warnings in system logs referencing remote_partition_disable+0xf7/0x110 at kernel/cgroup/cpuset.c:1651
- Unexpected warning messages during CPU hotplug operations
- Partition state inconsistencies in cpuset configurations after CPU offline events
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for WARNING messages containing remote_partition_disable or cpuset.c:1651
- Implement alerting on kernel warnings related to cgroup cpuset operations
- Track CPU hotplug events in conjunction with cpuset partition modifications
Monitoring Recommendations
- Enable kernel warning capture in centralized logging systems
- Monitor /sys/fs/cgroup/ for cpuset partition state changes during maintenance windows
- Configure alerting thresholds for repeated kernel warnings from the cpuset subsystem
- Review system stability metrics during CPU hotplug events
How to Mitigate CVE-2025-71142
Immediate Actions Required
- Apply the kernel patches from the stable tree commits
- Avoid CPU hotplug operations while cpuset partitions are actively configured
- Review existing cpuset partition configurations for potential exposure
- Consider temporarily disabling remote partitions before performing CPU hotplug operations
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix implements two key changes:
- The warning is now only emitted if subpartitions_cpus is not empty AND effective_xcpus is not a subset of subpartitions_cpus
- During CPU hotplug operations, partitions are now properly invalidated if subpartitions_cpus becomes empty
Patches are available from the kernel.org stable tree:
Workarounds
- Disable cpuset partitions before performing CPU hotplug operations to avoid triggering the warning
- Avoid using remote partition mode (root in cpuset.cpus.partition) on systems with frequent CPU hotplug activity
- Ensure all CPUs assigned to partitions remain online during cpuset configuration changes
- Consider using alternative CPU isolation methods if cpuset partitioning cannot be safely used
# Workaround: Disable partition before CPU hotplug
echo member > /sys/fs/cgroup/A1/A2/cpuset.cpus.partition
echo 0 > /sys/devices/system/cpu/cpu15/online
# Reconfigure partitions after CPU state is stable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
