Skip to main content

Linux Kernel EUVDEUVD-2025-209968

| CVE-2025-71304 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hgc7-rqx4-p393
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.4 MEDIUM

Writing to /smack/doi requires CAP_MAC_ADMIN (effectively root-level), warranting PR:H over the official PR:L; no confidentiality or integrity impact applies.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 23:16 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

smack: /smack/doi: accept previously used values

Writing to /smack/doi a value that has ever been written there in the past disables networking for non-ambient labels. E.g.

cat /smack/doi

3

netlabelctl -p cipso list

Configured CIPSO mappings (1) DOI value : 3 mapping type : PASS_THROUGH

netlabelctl -p map list

Configured NetLabel domain mappings (3) domain: "_" (IPv4) protocol: UNLABELED domain: DEFAULT (IPv4) protocol: CIPSO, DOI = 3 domain: DEFAULT (IPv6) protocol: UNLABELED

cat /smack/ambient

_

cat /proc/$$/attr/smack/current

_

ping -c1 10.1.95.12

64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms

echo foo >/proc/$$/attr/smack/current

ping -c1 10.1.95.12

64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms unknown option 86

echo 4 >/smack/doi

echo 3 >/smack/doi

!> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17

echo 3 >/smack/doi

!> [ 249.402261] smk_cipso_doi:678 remove rc = -2 !> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17

ping -c1 10.1.95.12

!!> ping: 10.1.95.12: Address family for hostname not supported

echo _ >/proc/$$/attr/smack/current

ping -c1 10.1.95.12

64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms

This happens because Smack keeps decommissioned DOIs, fails to re-add them, and consequently refuses to add the “default” domain map:

netlabelctl -p cipso list

Configured CIPSO mappings (2) DOI value : 3 mapping type : PASS_THROUGH DOI value : 4 mapping type : PASS_THROUGH

netlabelctl -p map list

Configured NetLabel domain mappings (2) domain: "_" (IPv4) protocol: UNLABELED !> (no ipv4 map for default domain here) domain: DEFAULT (IPv6) protocol: UNLABELED

Fix by clearing decommissioned DOI definitions and serializing concurrent DOI updates with a new lock.

Also:

  • allow /smack/doi to live unconfigured, since

adding a map (netlbl_cfg_cipsov4_map_add) may fail. CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI

  • add new DOI before removing the old default map,

so the old map remains if the add fails

(2008-02-04, Casey Schaufler)

AnalysisAI

Networking denial of service in the Linux kernel's Smack LSM disrupts IPv4 connectivity for all processes carrying non-ambient Smack labels when a previously-used CIPSO DOI value is cycled through /smack/doi. The kernel's smk_cipso_doi function retains decommissioned DOI definitions in netlabel's CIPSO configuration, causing re-add operations to fail with EEXIST (-17); this prevents the default IPv4 domain mapping from being re-established, silently severing label-based network traffic. No public exploit code is identified and EPSS sits at 0.02% (7th percentile), reflecting the very narrow deployment surface - only systems with Smack as the active LSM and CIPSO networking configured are affected.

Technical ContextAI

Smack (Simplified Mandatory Access Control Kernel) is a Linux Security Module that enforces mandatory access control by attaching labels to subjects and objects. For network traffic, Smack uses CIPSO (Commercial IP Security Option) DOI (Domain of Interpretation) values - configured via netlabel - to label and enforce policy on IP packets. The virtual file /smack/doi exposes the active DOI to privileged users and triggers netlabel reconfiguration on write. The root cause is a state management logic error in smk_cipso_doi() (around lines 678-691 of the Smack LSM source): when a DOI value is changed and then reverted to a prior value, Smack does not clear the decommissioned DOI from netlabel's internal CIPSO table before attempting to re-add it. The re-add fails with EEXIST (-17), and the code path that establishes the DEFAULT IPv4 domain map via netlbl_cfg_cipsov4_map_add is skipped, leaving the default domain entry absent. Affected CPE is cpe:2.3:o:linux:linux_kernel across multiple stable branches introduced with commit e114e473771c848c3cfec05f0123e70f1cdbdc99 (Linux 2.6.25). CWE is listed as N/A but the root cause is closest to a stale-state/resource-lifecycle management flaw.

RemediationAI

The primary fix is to upgrade to a patched stable kernel release: 5.10.252 or later, 5.15.202 or later, 6.1.165 or later, 6.6.128 or later, 6.12.75 or later, 6.18.14 or later, 6.19.4 or later, or kernel 7.0+. Upstream commit references are available at git.kernel.org/stable (see NVD references for exact commit SHAs per branch). Distributions carrying backported stable kernels should apply the relevant stable queue patch. As a compensating control where patching is not immediately possible, avoid cycling the /smack/doi value on production systems - specifically, do not write a new DOI value followed by the previous DOI value in the same session; if a DOI change is needed, reboot to restore a clean netlabel state. Restricting write access to /smack/doi via filesystem permissions or CAP_MAC_ADMIN policy reduces exposure but may not be feasible in all Smack deployments. Note that the compensating control does not address concurrent DOI update races also fixed by the patch.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2025-209968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy