PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71304 Linux CVE debrief

A logic flaw in the Linux kernel's Smack security module allows non-privileged users to disable networking for non-ambient Smack labels by writing a previously-used DOI value to /smack/doi. The root cause is that Smack retains decommissioned DOI definitions, causing subsequent re-add attempts to fail with -EEXIST (-17). This prevents the default domain map from being re-established, breaking CIPSO-labeled networking for processes running under non-ambient labels while leaving ambient-labeled processes unaffected. The vulnerability requires local access and Smack LSM to be active. The fix clears decommissioned DOI definitions, adds proper serialization for concurrent DOI updates, and reorders operations to ensure the old map persists if the new DOI add fails.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with Smack LSM enabled, particularly embedded systems, IoT devices, and high-security environments using CIPSO labeling for mandatory access control. System administrators responsible for Smack policy configuration and network security teams monitoring for unexpected network connectivity failures.

Technical summary

The Smack Linux Security Module (LSM) maintains CIPSO DOI (Domain of Interpretation) configurations through the /smack/doi sysfs interface. When a DOI value is written to this file, Smack attempts to remove the existing default domain map, add the new DOI to the CIPSO configuration, and re-add the default domain map with the new DOI. However, Smack retains decommissioned DOI definitions internally. When a previously-used DOI is written to /smack/doi, the attempt to re-add it to CIPSO fails with -EEXIST (-17), causing the default domain map addition to be skipped. This leaves the system without a CIPSO mapping for the default domain, which disables IPv4 networking for processes running under non-ambient Smack labels. Ambient-labeled processes (typically the '_' label) continue to function because they use the UNLABELED protocol rather than CIPSO. The fix involves clearing decommissioned DOI definitions, adding a mutex to serialize concurrent DOI updates, allowing /smack/doi to remain unconfigured (CIPSO_V4_DOI_UNKNOWN/0), and reordering operations so the old default map is only removed after the new DOI is successfully added.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced stable commits when available from your distribution
  • Verify Smack LSM is not enabled if not required for your security policy
  • Monitor /smack/doi and /proc/net/netlabel for unexpected DOI or domain map changes
  • Review process Smack labels via /proc/*/attr/smack/current for networking anomalies
  • Audit systems for unexpected netlabelctl configuration changes

Evidence notes

CVE published 2026-05-27T14:16:42.850Z; modified 2026-05-27T14:48:31.480Z. Multiple stable kernel fix commits referenced. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-27