CVE-2025-71110
Published: 14 January 2026
Summary
CVE-2025-71110 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2025-71110 is a use-after-free vulnerability (CWE-416) in the Linux kernel's SLUB memory allocator (mm/slub.c), specifically when CONFIG_SLUB_TINY is enabled on ARM64 systems with Memory Tagging Extension (MTE). The issue arises during kfree_nolock(), which calls kasan_slab_free() to poison freed memory and change its KASAN tag from the original (e.g., 0xf3) to a poison tag (0xfe). Subsequently, defer_free() attempts to write to the freed object using llist_add() to build a deferred free list, but retains the old pointer tag, resulting in a tag mismatch and a KASAN slab-use-after-free BUG report, such as at mm/slub.c:6537. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-14.
A local attacker with low privileges (PR:L) can exploit this vulnerability by triggering memory free operations that invoke kfree_nolock() under the affected configuration. Successful exploitation leads to high confidentiality, integrity, and availability impacts, potentially enabling kernel crashes via the KASAN BUG (e.g., write at addr f3f000000854f020 by a kworker task) or more severe outcomes from the underlying use-after-free condition in the allocator's bookkeeping.
The provided patch references detail the mitigation: https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c and https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d introduce a call to kasan_reset_tag() in defer_free() before accessing the freed memory. This is safe as defer_free() is an allocator-internal function for bookkeeping, preventing the tag mismatch without broader risks. Security practitioners should apply these stable kernel patches to affected ARM64 systems with SLUB_TINY and MTE enabled.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2503
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory…
more
and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe). When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report: BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe] Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in SLUB allocator directly enables privilege escalation via memory corruption on affected ARM64 systems.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of the use-after-free tag mismatch flaw in the Linux kernel's SLUB defer_free() function via patching.
Scans for vulnerabilities like CVE-2025-71110 in the Linux kernel SLUB allocator to identify unpatched systems for remediation.
Enforces secure configuration settings for the kernel to avoid enabling vulnerable combinations such as CONFIG_SLUB_TINY with MTE on ARM64.