How to fix CVE-2025-71110?

Within 7 days: Identify all affected systems and apply vendor patches promptly. If patching is delayed, consider network segmentation to limit exposure.

Is Use After Free affected by CVE-2025-71110?

CVE-2025-71110 presents notable security risk, a use-after-free vulnerability rated CVSS 7.8. Exploitation could compromise the security of affected deployments. Organizations should apply vendor updates when available and consider compensating controls in the interim.

CVE-2025-71110

HIGH

2026-01-14 416baaa9-dc9f-4396-8d5f-8c081fb06d67

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Apr 09, 2026 - 08:30 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 14, 2026 - 15:16 nvd

HIGH 7.8

Description

In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe). When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report: BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe] Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes.

Analysis

In the Linux kernel, the following vulnerability has been resolved:

mm/slub: reset KASAN tag in defer_free() before accessing freed memory

When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free().

Technical Context

In the Linux kernel, the following vulnerability has been resolved:

mm/slub: reset KASAN tag in defer_free() before accessing freed memory

When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free()

before defer_free(). On ARM64 with MTE (Memory Tagging Extension),

kasan_slab_free() poisons the memory and changes the tag from the

original (e.g., 0xf3) to a poison tag (0xfe).

When defer_free() then tries to write to the freed object to build the

deferred free list via llist_add(),

Affected Products

In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONF

Remediation

Monitor vendor advisories for a patch.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +39

POC: 0

Vendor Status

CVE-2025-71110 vulnerability details – vuln.today

Back

CVE-2025-71110

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-71110

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code