CVE-2025-71099
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
13/01/2026
Last modified:
25/03/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()<br />
<br />
In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping<br />
metrics_lock. Since this lock protects the lifetime of oa_config, an<br />
attacker could guess the id and call xe_oa_remove_config_ioctl() with<br />
perfect timing, freeing oa_config before we dereference it, leading to<br />
a potential use-after-free.<br />
<br />
Fix this by caching the id in a local variable while holding the lock.<br />
<br />
v2: (Matt A)<br />
- Dropped mutex_unlock(&oa->metrics_lock) ordering change from<br />
xe_oa_remove_config_ioctl()<br />
<br />
(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11.1 (including) | 6.12.64 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page