CVE-2025-71099
Published: 13 January 2026
Summary
CVE-2025-71099 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-71099 is a use-after-free vulnerability (CWE-416) in the Linux kernel's drm/xe/oa subsystem, specifically within the xe_oa_add_config_ioctl() function. The flaw occurs because the function accesses the oa_config->id field after releasing the metrics_lock, which governs the lifetime of the oa_config structure. This creates a race condition where the structure could be freed prematurely.
A local attacker with low privileges (PR:L) can exploit the vulnerability by guessing the oa_config ID and invoking xe_oa_remove_config_ioctl() with precise timing after the lock is dropped but before the ID is dereferenced. Successful exploitation leads to a use-after-free condition, enabling high-impact consequences on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U).
Mitigation is provided via kernel patches that cache the ID in a local variable while the metrics_lock is still held, ensuring safe access post-lock release. Relevant stable commits include https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d, https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2, and https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2213
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call…
more
xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free. Fix this by caching the id in a local variable while holding the lock. v2: (Matt A) - Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl() (cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel driver directly enables privilege escalation via crafted ioctl race.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly eliminates the use-after-free vulnerability by requiring timely application of the kernel patch that caches the oa_config ID under metrics_lock.
Identifies systems running vulnerable Linux kernel versions affected by CVE-2025-71099 through regular vulnerability scanning.
Implements kernel memory protections like KASLR, SMEP, and SMAP that increase the difficulty of exploiting the use-after-free race condition.