Bug 2429585 (CVE-2025-71110) - CVE-2025-71110 kernel: mm/slub: reset KASAN tag in defer_free() before accessing freed memory
Summary: CVE-2025-71110 kernel: mm/slub: reset KASAN tag in defer_free() before access...
Keywords:
Status: NEW
Alias: CVE-2025-71110
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-14 16:02 UTC by OSIDB Bzimport
Modified: 2026-01-14 20:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-14 16:02:20 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mm/slub: reset KASAN tag in defer_free() before accessing freed memory

When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free()
before defer_free(). On ARM64 with MTE (Memory Tagging Extension),
kasan_slab_free() poisons the memory and changes the tag from the
original (e.g., 0xf3) to a poison tag (0xfe).

When defer_free() then tries to write to the freed object to build the
deferred free list via llist_add(), the pointer still has the old tag,
causing a tag mismatch and triggering a KASAN use-after-free report:

  BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537
  Write at addr f3f000000854f020 by task kworker/u8:6/983
  Pointer tag: [f3], memory tag: [fe]

Fix this by calling kasan_reset_tag() before accessing the freed memory.
This is safe because defer_free() is part of the allocator itself and is
expected to manipulate freed memory for bookkeeping purposes.
Comment 1 Jon Moroney 2026-01-14 20:33:02 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011412-CVE-2025-71110-c354@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.