CVE-2025-71099 in Linux
Summary
by MITRE • 01/13/2026
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free.
Fix this by caching the id in a local variable while holding the lock.
v2: (Matt A) - Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl()
(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/21/2026
The vulnerability CVE-2025-71099 represents a critical use-after-free condition within the Linux kernel's graphics subsystem, specifically affecting the Intel Xe graphics driver implementation. This flaw exists in the drm/xe/oa component where the xe_oa_add_config_ioctl() function handles configuration management for graphics performance monitoring. The vulnerability stems from improper lock management during concurrent access to graphics monitoring configurations, creating a window of opportunity for attackers to exploit temporal race conditions in the system's memory management.
The technical flaw occurs when the kernel's graphics driver processes performance monitoring configuration requests through the xe_oa_add_config_ioctl() interface. During this process, the driver accesses the oa_config->id field after releasing the metrics_lock that normally protects the lifetime of the oa_config object. This race condition allows an attacker to time their actions precisely, calling xe_oa_remove_config_ioctl() at the exact moment when the metrics_lock has been dropped but before the id field is accessed. The attacker can then free the oa_config memory structure, leaving the subsequent dereference of oa_config->id pointing to freed memory, resulting in a use-after-free scenario that can be exploited for arbitrary code execution or system compromise.
This vulnerability directly maps to CWE-416, which identifies use-after-free conditions in software systems, and aligns with ATT&CK technique T1059.007 for execution through kernel modules. The operational impact of this flaw extends beyond simple memory corruption, as it provides attackers with potential privilege escalation capabilities through kernel memory corruption. The vulnerability affects systems running Linux kernels with Intel Xe graphics support, particularly those utilizing performance monitoring features through the drm subsystem. Attackers could leverage this condition to execute malicious code with kernel privileges, potentially leading to complete system compromise and persistent access to affected systems.
The fix implemented addresses this vulnerability by caching the oa_config->id value in a local variable while maintaining the metrics_lock acquisition. This approach ensures that the configuration identifier remains valid throughout the execution of xe_oa_add_config_ioctl() without requiring extended lock holding periods. The solution follows secure coding practices by minimizing the scope of protected resources and eliminating the race condition that enabled the use-after-free scenario. The patch also removes an unnecessary mutex_unlock ordering change from the xe_oa_remove_config_ioctl() function, maintaining proper lock ordering and preventing potential deadlocks while ensuring the fix's correctness. This remediation strategy aligns with established kernel security practices for handling concurrent access to shared resources and demonstrates proper lock management techniques for preventing temporal race conditions in kernel subsystems.