CVE-2025-71066 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that allow unprivileged user and network namespace creation should prioritize this issue, especially where tc/ets traffic shaping is used.

Technical summary

The vulnerability is described as a race between ets_qdisc_dequeue and ets_qdisc_change. During ETS reconfiguration, a class can remain linked in the active list while its qdisc pointer is cleared and the qdisc object is freed after the lock is released. If dequeue runs in that window, it can follow a stale active-list entry and dereference freed qdisc state, resulting in a use-after-free in struct Qdisc. The stated fix is to always remove the class from the active list before deleting and freeing its associated qdisc.

Defensive priority

High

Recommended defensive actions

• Apply the Linux kernel fix associated with the linked stable commits for CVE-2025-71066.
• Review systems that use ETS qdisc configurations and ensure kernel packages are updated from a trusted vendor build.
• Reduce exposure by limiting unprivileged user namespace and network namespace creation where operationally feasible.
• Prioritize hosts that support local users, containers, or other workloads that can reach tc and namespace functionality.
• Track vendor and distribution advisories for backported fixes that correspond to the linked kernel.org commit references.

Evidence notes

The supplied description explicitly identifies a race between ets_qdisc_dequeue and ets_qdisc_change, states that some classes remain on the active list after their qdisc is set to NULL, and links that state to a use-after-free on struct Qdisc. The source item also provides kernel.org stable commit references associated with the fix, while the NVD record is marked Deferred and does not supply a CVSS vector or version range in the provided corpus. CVE publication timing in the supplied timeline is 2026-01-13, with a later record modification on 2026-04-15.

Official resources