CVE-2025-71304 Overview
CVE-2025-71304 is a Linux kernel vulnerability in the Smack Linux Security Module (LSM). The flaw resides in the /smack/doi interface, which manages Domain of Interpretation (DOI) values for Commercial IP Security Option (CIPSO) labeled networking. Writing a previously used value to /smack/doi causes Smack to retain decommissioned DOI definitions, fail re-registration with NetLabel, and refuse to add the default domain map. The result is broken networking for any process running with a non-ambient Smack label. This affects systems that rely on Smack for mandatory access control over network traffic.
Critical Impact
Reusing a DOI value on the /smack/doi interface disables CIPSO networking for non-ambient Smack labels, breaking labeled IPv4 communications until the system is reconfigured or rebooted.
Affected Products
- Linux kernel versions containing the Smack LSM with the affected /smack/doi handler
- Distributions enabling CONFIG_SECURITY_SMACK with CIPSOv4 NetLabel support
- Systems applying mandatory access control through Smack labeled networking
Discovery Timeline
- 2026-05-27 - CVE-2025-71304 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2025-71304
Vulnerability Analysis
The vulnerability is a state management defect [CWE-372 Incomplete Internal State Distinction] in the Smack LSM DOI handler. The /smack/doi interface accepts a numeric DOI value used to bind CIPSOv4 mappings to NetLabel domains. When user space writes a new value, Smack is expected to deregister the old DOI mapping and register the new one with NetLabel.
The defective handler keeps records of previously assigned DOI values in an internal list without clearing them on removal. When the same value is written again, netlbl_cfg_cipsov4_add returns -EEXIST (rc = -17) because the DOI is still considered registered. Smack then fails to install the default domain mapping, leaving IPv4 traffic without a CIPSO mapping for the DEFAULT domain. Processes carrying any non-ambient label cannot send or receive labeled traffic.
Root Cause
Two issues combine to produce the failure. First, decommissioned DOI definitions are never cleared from Smack's internal state, so subsequent writes collide. Second, concurrent writes to /smack/doi are not serialized, which allows interleaved add and remove operations to corrupt the registration sequence. The fix introduces a dedicated lock, clears decommissioned DOI definitions, allows /smack/doi to remain in the unconfigured state CIPSO_V4_DOI_UNKNOWN(0), and adds the new DOI before removing the prior default map.
Attack Vector
The issue requires local privileged access. Writing to /smack/doi is restricted to a process with CAP_MAC_ADMIN. A privileged user or a misbehaving administrative script can trigger the condition by writing a DOI value previously used during the same boot. The result is a denial of service against labeled networking. There is no indication of memory corruption or privilege escalation. The kernel logs entries such as smk_cipso_doi:691 cipso add rc = -17 and smk_cipso_doi:678 remove rc = -2 when the condition occurs.
Detection Methods for CVE-2025-71304
Indicators of Compromise
- Kernel log entries containing smk_cipso_doi:691 cipso add rc = -17 indicating a duplicate DOI registration attempt
- Kernel log entries containing smk_cipso_doi:678 remove rc = -2 showing a stale DOI removal failure
- ping returning Address family for hostname not supported for processes carrying a non-ambient Smack label
- netlabelctl -p map list output missing the IPv4 DEFAULT domain mapping after a DOI reconfiguration
Detection Strategies
- Monitor /var/log/kern.log or journalctl -k for the smk_cipso_doi error strings tied to this defect
- Periodically compare netlabelctl -p cipso list and netlabelctl -p map list output against a known-good baseline
- Audit writes to /smack/doi using auditctl -w /smack/doi -p w -k smack_doi_write and alert on repeated writes within a single boot
Monitoring Recommendations
- Track the running Linux kernel version on Smack-enabled hosts and flag versions predating the upstream patches referenced in the kernel.org commits
- Capture failed labeled traffic by correlating EAFNOSUPPORT socket errors from Smack-enforced workloads with preceding /smack/doi writes
- Forward kernel audit and journal events to a centralized telemetry pipeline for retention and correlation across the fleet
How to Mitigate CVE-2025-71304
Immediate Actions Required
- Apply the upstream Linux kernel stable patches for the Smack /smack/doi handler referenced in the kernel.org commits
- Restrict CAP_MAC_ADMIN to a minimum set of administrative processes that manage Smack policy
- Avoid rewriting previously used DOI values to /smack/doi on unpatched kernels until a fix is deployed
- Reboot affected systems to restore CIPSO mappings if labeled networking has already been broken by the condition
Patch Information
The fix is distributed across multiple upstream stable branches. Apply the kernel update that contains the relevant commit for your branch: Kernel Git Commit 199452f, Kernel Git Commit 1c7ee23, Kernel Git Commit 33d589e, Kernel Git Commit 5a247a8, Kernel Git Commit 6ec091c, Kernel Git Commit 8beebb8, Kernel Git Commit eb718a3, and Kernel Git Commit f807150. The patch clears decommissioned DOI state, serializes updates with a new lock, and adds the new DOI before removing the existing default map.
Workarounds
- Configure Smack DOI exactly once per boot and reboot the system instead of rewriting /smack/doi
- Keep workloads operating under the ambient Smack label until the patched kernel is installed if labeled networking is not strictly required
- Disable CIPSOv4 NetLabel configuration on hosts that do not require labeled networking by removing the relevant netlabelctl mappings
# Verify the current Smack DOI and NetLabel mappings before applying any change
cat /smack/doi
netlabelctl -p cipso list
netlabelctl -p map list
# Audit unexpected writes to the Smack DOI interface
auditctl -w /smack/doi -p w -k smack_doi_write
ausearch -k smack_doi_write
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

