CVE-2025-71152 Overview
A vulnerability has been identified in the Linux kernel's Distributed Switch Architecture (DSA) subsystem involving improper reference handling of the conduit (master) network device. The DSA framework fails to properly track references to the conduit net device and its kobject, leading to potential use-after-free conditions and stale pointer references.
The vulnerability stems from two distinct problems: the OF (Open Firmware) path using of_find_net_device_by_node() never releases the elevated reference count on the conduit's kobject, and after finding the conduit interface, it can be unregistered at any time while DSA retains a stale cpu_dp->conduit pointer. This improper reference management can lead to system instability and potential security issues.
Critical Impact
Linux kernel DSA subsystem may retain stale pointers to unregistered network devices, potentially leading to system instability, kernel crashes, or memory corruption when accessing deallocated network device structures.
Affected Products
- Linux kernel with DSA (Distributed Switch Architecture) subsystem enabled
- Systems using OF-based network device discovery
- Network configurations utilizing DSA conduit/master interfaces
Discovery Timeline
- 2026-01-23 - CVE CVE-2025-71152 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-71152
Vulnerability Analysis
The vulnerability exists in the Linux kernel's DSA subsystem, specifically in how it manages references to conduit (master) network devices. The DSA framework is designed to manage network switches by creating user-facing ports that are linked to a master interface (conduit).
The core issue manifests in two interrelated problems. First, the Open Firmware (OF) path that uses of_find_net_device_by_node() to locate the conduit device fails to release the elevated reference count on the conduit's kobject. This creates an asymmetry between OF and non-OF paths, where dsa_dev_to_net_device() contains a put_device() call that is missing in dsa_port_parse_of().
Second, once the conduit interface is discovered, it can be unregistered at any time, leaving DSA with a long-lived but stale cpu_dp->conduit pointer. Simply holding the net device's underlying kobject prevents it from being freed but does not prevent the net device from being unregistered.
Root Cause
The root cause is improper reference counting and synchronization in the DSA subsystem. The vulnerability arises because:
- The OF path never calls the corresponding release function for the elevated kobject reference obtained via of_find_net_device_by_node()
- There is a time window between calling of_find_net_device_by_node() and user port creation during which the conduit can unregister itself without DSA being notified
- The code lacks proper use of the netdev tracker mechanism (dev_hold() and dev_put()) to maintain valid references to the conduit device
- Operations are not properly serialized with rtnl_lock() to prevent race conditions during device registration and unregistration
Attack Vector
The vulnerability can be triggered through network device operations that cause the conduit interface to be unregistered while DSA still holds references to it. An attacker with local access could potentially:
- Manipulate network device bindings through sysfs interfaces
- Unbind the conduit driver while DSA is actively using the interface
- Trigger race conditions by rapidly binding and unbinding network drivers
The exploit scenario involves unbinding the conduit driver for a network device. For example, executing a command such as echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind while DSA retains references can expose the vulnerability. With CONFIG_DEBUG_KOBJECT_RELEASE=y enabled, the improper reference handling becomes visible in kernel debug output.
Detection Methods for CVE-2025-71152
Indicators of Compromise
- Kernel log messages related to kobject reference issues, particularly with network device names
- Unexpected kernel warnings or panics related to DSA or network device operations
- System instability when unbinding network drivers on systems with DSA-enabled switches
Detection Strategies
- Enable CONFIG_DEBUG_KOBJECT_RELEASE=y in kernel configuration to expose reference counting issues
- Monitor kernel logs for kobject release messages that indicate improper reference handling
- Audit systems using DSA with Open Firmware network device discovery for affected configurations
Monitoring Recommendations
- Implement kernel log monitoring for DSA-related error messages and warnings
- Track network device binding/unbinding operations on systems with DSA-enabled switches
- Deploy kernel debugging features in test environments to proactively identify reference counting issues
How to Mitigate CVE-2025-71152
Immediate Actions Required
- Apply the latest kernel patches that address the DSA conduit reference handling
- Limit local access to systems with DSA-enabled network configurations
- Avoid unbinding network drivers on production systems until patches are applied
Patch Information
The Linux kernel maintainers have released patches to resolve this vulnerability. The fix involves:
- Properly acquiring and releasing references using the netdev tracker mechanism (dev_hold() and dev_put())
- Running of_find_net_device_by_node() under rtnl_lock() to prevent race conditions
- Maintaining proper CPU port references to the conduit device even when user ports are moved
The patches are available through the stable kernel git repository:
Workarounds
- Avoid performing network driver unbind operations on systems with active DSA configurations
- Restrict access to sysfs driver binding interfaces on affected systems
- Consider disabling DSA functionality if not required until kernel updates can be applied
# Restrict access to driver binding interfaces
chmod 600 /sys/bus/pci/drivers/*/unbind
chmod 600 /sys/bus/pci/drivers/*/bind
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
