Cyber Resilience

CVE-2025-71099

High

Published: 13 January 2026

Published
13 January 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71099 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-71099 is a use-after-free vulnerability (CWE-416) in the Linux kernel's drm/xe/oa subsystem, specifically within the xe_oa_add_config_ioctl() function. The flaw occurs because the function accesses the oa_config->id field after releasing the metrics_lock, which governs the lifetime of the oa_config structure. This creates a race condition where the structure could be freed prematurely.

A local attacker with low privileges (PR:L) can exploit the vulnerability by guessing the oa_config ID and invoking xe_oa_remove_config_ioctl() with precise timing after the lock is dropped but before the ID is dereferenced. Successful exploitation leads to a use-after-free condition, enabling high-impact consequences on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U).

Mitigation is provided via kernel patches that cache the ID in a local variable while the metrics_lock is still held, ensuring safe access post-lock release. Relevant stable commits include https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d, https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2, and https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call…

more

xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free. Fix this by caching the id in a local variable while holding the lock. v2: (Matt A) - Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl() (cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free in kernel driver directly enables privilege escalation via crafted ioctl race.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.11, 6.19 · 6.11.1 — 6.12.64 · 6.13 — 6.18.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly eliminates the use-after-free vulnerability by requiring timely application of the kernel patch that caches the oa_config ID under metrics_lock.

detect

Identifies systems running vulnerable Linux kernel versions affected by CVE-2025-71099 through regular vulnerability scanning.

prevent

Implements kernel memory protections like KASLR, SMEP, and SMAP that increase the difficulty of exploiting the use-after-free race condition.

References