CVE-2025-71142: Linux Kernel Cpuset Warning Vulnerability

CVE-2025-71142 Overview

A vulnerability has been identified in the Linux kernel's cpuset subsystem that triggers a warning when disabling remote partitions during CPU hotplug operations. The issue occurs in the remote_partition_disable() function within kernel/cgroup/cpuset.c when CPU resources become unavailable, causing improper handling of partition states and cpuset management.

Critical Impact

This vulnerability can cause kernel warnings and potential system instability when managing CPU partitions during hotplug events, affecting systems using cgroup cpuset configurations for CPU resource isolation.

Affected Products

• Linux kernel (cpuset subsystem)
• Systems using cgroup v2 cpuset partitioning
• Multi-CPU systems with CPU hotplug capabilities

Discovery Timeline

• 2026-01-14 - CVE CVE-2025-71142 published to NVD
• 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-71142

Vulnerability Analysis

The vulnerability exists in the Linux kernel's cpuset partition management code. When a CPU is taken offline via hotplug, the subpartitions_cpus bitmask gets cleared because no CPUs remain available for the top_cpuset. This forces partitions to share CPUs with the top_cpuset. When a remote partition is subsequently disabled, the kernel triggers an erroneous warning at remote_partition_disable+0xf7/0x110 indicating that effective_xcpus is not a subset of subpartitions_cpus.

The core issue stems from improper state validation during partition transitions. The warning occurs because the code does not properly account for the scenario where subpartitions_cpus has been emptied due to CPU hotplug events. This creates a race-like condition between CPU resource availability and partition state management.

Root Cause

The root cause is insufficient validation logic in the remote_partition_disable() function. The warning condition is triggered even when subpartitions_cpus is empty (a valid state after CPU hotplug), which should not be treated as an error condition. Additionally, partitions are not properly invalidated when subpartitions_cpus becomes empty during CPU hotplug operations, leading to inconsistent state information being presented to users.

Attack Vector

The vulnerability can be triggered through the following sequence of operations on a multi-CPU system:

1. Create a cgroup hierarchy with cpuset controllers enabled
2. Configure exclusive CPU sets for nested cgroups
3. Enable root partition mode on a child cpuset
4. Offline a CPU that results in subpartitions_cpus being cleared
5. Attempt to change the partition back to member mode

This sequence triggers the kernel warning, potentially affecting system stability and administrator confidence in resource management operations. While this is primarily a local privilege issue requiring administrative access to cgroup filesystem operations and CPU hotplug controls, it can impact systems relying on dynamic CPU resource management.

Detection Methods for CVE-2025-71142

Indicators of Compromise

• Kernel warnings in system logs referencing remote_partition_disable+0xf7/0x110 at kernel/cgroup/cpuset.c:1651
• Unexpected warning messages during CPU hotplug operations
• Partition state inconsistencies in cpuset configurations after CPU offline events

Detection Strategies

• Monitor kernel logs (dmesg, /var/log/kern.log) for WARNING messages containing remote_partition_disable or cpuset.c:1651
• Implement alerting on kernel warnings related to cgroup cpuset operations
• Track CPU hotplug events in conjunction with cpuset partition modifications

Monitoring Recommendations

• Enable kernel warning capture in centralized logging systems
• Monitor /sys/fs/cgroup/ for cpuset partition state changes during maintenance windows
• Configure alerting thresholds for repeated kernel warnings from the cpuset subsystem
• Review system stability metrics during CPU hotplug events

How to Mitigate CVE-2025-71142

Immediate Actions Required

• Apply the kernel patches from the stable tree commits
• Avoid CPU hotplug operations while cpuset partitions are actively configured
• Review existing cpuset partition configurations for potential exposure
• Consider temporarily disabling remote partitions before performing CPU hotplug operations

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix implements two key changes:

1. The warning is now only emitted if subpartitions_cpus is not empty AND effective_xcpus is not a subset of subpartitions_cpus
2. During CPU hotplug operations, partitions are now properly invalidated if subpartitions_cpus becomes empty

Patches are available from the kernel.org stable tree:

• Kernel.org Commit Update
• Kernel.org Commit Changes

Workarounds

• Disable cpuset partitions before performing CPU hotplug operations to avoid triggering the warning
• Avoid using remote partition mode (root in cpuset.cpus.partition) on systems with frequent CPU hotplug activity
• Ensure all CPUs assigned to partitions remain online during cpuset configuration changes
• Consider using alternative CPU isolation methods if cpuset partitioning cannot be safely used

# Workaround: Disable partition before CPU hotplug
echo member > /sys/fs/cgroup/A1/A2/cpuset.cpus.partition
echo 0 > /sys/devices/system/cpu/cpu15/online
# Reconfigure partitions after CPU state is stable