CVE-2025-71086
Published: 13 January 2026
Summary
CVE-2025-71086 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of known kernel flaws like the array indexing error in rose_kill_by_device() to prevent exploitation.
Enables automated vulnerability scanning to identify the presence of CVE-2025-71086 in Linux kernels with ROSE support.
Minimizes attack surface by disabling unnecessary kernel functionalities such as the ROSE networking module if not required.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel array indexing flaw enables memory corruption/reference leaks for privilege escalation (T1068) and kernel crashes for DoS via system exploitation (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down.…
more
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i.
Deeper analysisAI
CVE-2025-71086 is a vulnerability in the Linux kernel's ROSE networking module, specifically in the rose_kill_by_device() function. This function collects sockets bound to a device being brought down into a local array and iterates over them to disconnect them. Due to a coding error, the loop incorrectly indexes array[cnt] instead of array[i], resulting in either reading an uninitialized entry when cnt is less than the array size or an out-of-bounds read when cnt equals the array size. This can lead to dereferencing an invalid socket pointer and leaking references taken via sock_hold(). The vulnerability is rated 7.8 on the CVSS 3.1 scale (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-129 (Improper Validation of Array Index).
A local attacker with low privileges can exploit this vulnerability by triggering the rose_kill_by_device() function, such as when a ROSE device is brought down. The low attack complexity and lack of user interaction requirement make it straightforward to invoke. Successful exploitation can result in high impacts across confidentiality, integrity, and availability, potentially through kernel crashes from invalid pointer dereferences, memory corruption, or reference leaks that enable further privilege escalation or denial of service.
Mitigation involves applying patches from the Linux kernel stable repository, as detailed in the referenced commits: https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981, https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4, https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042, https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38, and https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280. These patches correct the array index to use 'i' instead of 'cnt', preventing the invalid reads. Security practitioners should update affected Linux kernels, particularly those with ROSE support enabled.
Details
- CWE(s)