Security Vulnerability Report
中文
CVE-2025-71086 CVSS 7.8 HIGH

CVE-2025-71086

Published: 2026-01-13 16:16:08
Last Modified: 2026-03-25 18:57:18
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux kernel < 6.12 (affected commits: 1418c12cd3bba79dc56b57b61c99efe40f579981)
Linux kernel < 6.6 (affected commits: 6595beb40fb0ec47223d3f6058ee40354694c8e4)
Linux kernel < 6.1 (affected commits: 819fb41ae54960f66025802400c9d3935eef4042)
Linux kernel < 5.15 (affected commits: 92d900aac3a5721fb54f3328f1e089b44a861c38)
Linux kernel < 5.10 (affected commits: 9f6185a32496834d6980b168cffcccc2d6b17280)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC concept for CVE-2025-71086 // This is a conceptual PoC demonstrating the vulnerability trigger condition // Note: Actual exploitation requires kernel debugging and specific ROSE socket usage #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <net/rose.h> /* * Vulnerability trigger: * The bug is in rose_kill_by_device() where array[cnt] is used instead of array[i] * This causes: * 1. Uninitialized array element access (cnt < ARRAY_SIZE) * 2. Out-of-bounds read (cnt == ARRAY_SIZE) * * Trigger conditions: * - Create multiple ROSE sockets * - Bind them to a device * - Trigger device shutdown/down * - The buggy loop will iterate with wrong index */ int trigger_vulnerability() { int sock_fds[16]; int i; printf("CVE-2025-71086 PoC - ROSE array index bug\n"); printf("This vulnerability requires kernel-level debugging to confirm\n"); /* * The actual trigger requires: * 1. ROSE protocol support in kernel * 2. Creating sockets that bind to ROSE devices * 3. Forcing device state change that triggers rose_kill_by_device() * * Since this is a kernel bug, detection is typically done via: * - Static code analysis * - Kernel debugging * - Syzkaller/fuzzing */ printf("Detection via code analysis:\n"); printf("Look for: array[cnt] should be array[i] in rose_kill_by_device()\n"); return 0; } int main() { return trigger_vulnerability(); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-71086", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:08.230", "lastModified": "2026-03-25T18:57:17.753", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix invalid array index in rose_kill_by_device()\n\nrose_kill_by_device() collects sockets into a local array[] and then\niterates over them to disconnect sockets bound to a device being brought\ndown.\n\nThe loop mistakenly indexes array[cnt] instead of array[i]. For cnt <\nARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==\nARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to\nan invalid socket pointer dereference and also leaks references taken\nvia sock_hold().\n\nFix the index to use i."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: rose: corrige índice de array inválido en rose_kill_by_device()\n\nrose_kill_by_device() recopila sockets en un array[] local y luego itera sobre ellos para desconectar los sockets vinculados a un dispositivo que está siendo dado de baja.\n\nEl bucle indexa erróneamente array[cnt] en lugar de array[i]. Para cnt &lt; ARRAY_SIZE(array), esto lee una entrada no inicializada; para cnt == ARRAY_SIZE(array), es una lectura fuera de límites. Cualquiera de los dos casos puede llevar a una desreferenciación de puntero de socket inválida y también filtra referencias tomadas a través de sock_hold().\n\nCorrige el índice para usar i."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.304", "versionEndExcluding": "4.20", "matchCriteriaId": "2BCE2CDA-EC6B-4493-8CA2-D1CF3726E9E1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.266", "versionEndExcluding": "5.5", "matchCriteriaId": "49BBD99F-455C-46BB-ADFC-FF5CB89713A9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.206", "versionEndExcluding": "5.10.248", "matchCriteriaId": "B8478451-7F9E-4609-BA3A-FE47B869F777"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.146", "versionEndExcluding": "5.15.198", "matchCriteriaId": "86F5ED80-A04A-4E61-A66A-DBD95685DD99"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.70", "versionEndExcluding": "6.1.160", "matchCriteriaId": "70ABBD67-B4EA-4E96-A325-D9DC3C138166"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.9", "versionEndExcluding": "6.6.120", "matchCriteriaId": "996240E4-5384-4959-A529-94B25A62E245"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.1", "versionEndExcluding": "6.12.64", "matchCriteriaId": "67949B6F-3355-4092-B2E4-27D7E2C5B476"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.7:-:*:*:*:*:*:*", "matchCriteriaId": "62B55B1B-7D3E-499B-9C42-E9F1EF05A54A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.