Bug 2429028 (CVE-2025-71080) - CVE-2025-71080 kernel: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
Summary: CVE-2025-71080 kernel: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
Keywords:
Status: NEW
Alias: CVE-2025-71080
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-13 16:01 UTC by OSIDB Bzimport
Modified: 2026-01-30 21:25 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-13 16:01:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT

On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the
current task can be preempted. Another task running on the same CPU
may then execute rt6_make_pcpu_route() and successfully install a
pcpu_rt entry. When the first task resumes execution, its cmpxchg()
in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer
NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding
mdelay() after rt6_get_pcpu_route().

Using preempt_disable/enable is not appropriate here because
ip6_rt_pcpu_alloc() may sleep.

Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
free our allocation and return the existing pcpu_rt installed by
another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT
kernels where such races should not occur.
Comment 1 Jon Moroney 2026-01-15 04:40:33 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011338-CVE-2025-71080-f9ae@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.