CVE-2025-71086 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
net: rose: fix invalid array index in rose_kill_by_device()
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought down.
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold().
Fix the index to use i.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/31/2026
The vulnerability identified as CVE-2025-71086 resides within the Linux kernel's ROSE (Remote Operations Support Element) network protocol implementation, specifically within the rose_kill_by_device() function. This function operates as part of the kernel's network subsystem and is responsible for managing socket connections when a network device is being brought down. The ROSE protocol is used for packet-switched data communication and operates within the Linux networking stack, making it a critical component for maintaining proper network device lifecycle management. The flaw manifests in a fundamental indexing error that can result in severe memory corruption and potential privilege escalation opportunities.
The technical flaw represents a classic buffer over-read condition that stems from an incorrect loop variable usage within the rose_kill_by_device() function. The implementation attempts to collect active sockets into a local array and then iterate through them to properly disconnect connections when a device goes down. However, the loop uses cnt as an index variable instead of the proper loop counter i, creating a scenario where array[cnt] accesses memory locations outside the intended array bounds. When cnt is less than the array size, the function reads uninitialized memory locations containing arbitrary data, while when cnt equals the array size, it performs an explicit out-of-bounds memory access. This error directly violates the principles of safe array indexing and can result in reading invalid socket pointers that may point to freed memory or other unintended locations within kernel memory space.
The operational impact of this vulnerability extends beyond simple memory corruption, creating potential pathways for privilege escalation and system instability. When the function executes with an invalid index, it dereferences potentially invalid socket pointers, which can lead to kernel crashes through null pointer dereferences or more insidiously through reading corrupted memory locations. The vulnerability also introduces reference leak conditions where sock_hold() references are not properly released, leading to memory leaks that can accumulate over time and potentially cause system resource exhaustion. According to CWE classification, this represents a CWE-129: Improper Validation of Array Index vulnerability, while the ATT&CK framework would categorize this under T1068: Exploitation for Privilege Escalation and T1499.1: Endpoint Denial of Service, as the vulnerability can be leveraged to cause system instability or denial of service conditions. The flaw is particularly concerning because it operates within kernel space, where unauthorized access to kernel memory structures can lead to complete system compromise.
Mitigation strategies for CVE-2025-71086 should focus on immediate patch application and system hardening measures. The primary fix involves correcting the indexing variable from cnt to i in the rose_kill_by_device() function, ensuring that array[i] properly accesses the intended array elements rather than causing out-of-bounds memory operations. System administrators should prioritize applying the kernel patch that resolves this specific vulnerability, as it directly addresses the root cause without requiring additional workarounds. Additional defensive measures include implementing kernel memory protection mechanisms such as stack canaries and kernel address space layout randomization to make exploitation more difficult. Network monitoring should be enhanced to detect unusual patterns in device bring-down operations that might indicate exploitation attempts. Organizations should also consider implementing runtime integrity checks for kernel memory regions and maintaining up-to-date kernel security patches to prevent similar vulnerabilities from being exploited in the future. The fix aligns with security best practices outlined in the Linux Kernel Security documentation and represents a straightforward correction that addresses the specific indexing error without introducing functional regressions to the ROSE protocol implementation.