CVE-2025-71156
Published: 23 January 2026
Summary
CVE-2025-71156 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-2 (Baseline Configuration) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-71156 by requiring timely remediation through application of kernel stable patches that defer interrupt enabling until NAPI context initialization.
Maintains a secure baseline kernel configuration excluding the gve driver interrupt timing flaw, preventing deployment of vulnerable systems.
Identifies vulnerable kernel versions affected by CVE-2025-71156 via regular vulnerability scanning, enabling proactive patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition in interrupt/NAPI init enables triggering crashes/panics with high C/I/A impact, directly facilitating exploitation for privilege escalation and system/application DoS.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling until NAPI registration Currently, interrupts are automatically enabled immediately upon request. This allows interrupt to fire before the associated NAPI context is fully initialized and cause…
more
failures like below: [ 0.946369] Call Trace: [ 0.946369] <IRQ> [ 0.946369] __napi_poll+0x2a/0x1e0 [ 0.946369] net_rx_action+0x2f9/0x3f0 [ 0.946369] handle_softirqs+0xd6/0x2c0 [ 0.946369] ? handle_edge_irq+0xc1/0x1b0 [ 0.946369] __irq_exit_rcu+0xc3/0xe0 [ 0.946369] common_interrupt+0x81/0xa0 [ 0.946369] </IRQ> [ 0.946369] <TASK> [ 0.946369] asm_common_interrupt+0x22/0x40 [ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10 Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto enablement and explicitly enable the interrupt in NAPI initialization path (and disable it during NAPI teardown). This ensures that interrupt lifecycle is strictly coupled with readiness of NAPI context.
Deeper analysisAI
CVE-2025-71156 is a vulnerability in the Linux kernel's gve (Google Virtual Ethernet) driver, where interrupts are automatically enabled immediately upon request. This allows interrupts to fire before the associated NAPI context is fully initialized, leading to kernel failures such as crashes evidenced by stack traces involving __napi_poll, net_rx_action, and handle_softirqs during early boot or initialization phases. The issue has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Exploitation involves triggering the interrupt request timing race condition, potentially achieving high impacts on confidentiality, integrity, and availability, such as kernel panics or oops that destabilize the system.
Kernel stable patches address the issue via commits such as 3d970eda003441f66551a91fda16478ac0711617, 48f9277680925e1a8623d6b2c50aadb7af824ace, and f5b7f49bd2377916ad57cbd1210c61196daff013. These use the IRQF_NO_AUTOEN flag to prevent automatic interrupt enabling, explicitly enabling interrupts during NAPI initialization and disabling them during teardown, ensuring the interrupt lifecycle aligns with NAPI context readiness.
Details
- CWE(s)