HOMEVULNERABILITIESCVE-2025-71304
NONE

CVE-2025-71304

Published: May 27, 2026· Updated: May 27, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

smack: /smack/doi: accept previously used values

Writing to /smack/doi a value that has ever been

written there in the past disables networking for

non-ambient labels.

E.g.

# cat /smack/doi

3

# netlabelctl -p cipso list

Configured CIPSO mappings (1)

DOI value : 3

mapping type : PASS_THROUGH

# netlabelctl -p map list

Configured NetLabel domain mappings (3)

domain: "_" (IPv4)

protocol: UNLABELED

domain: DEFAULT (IPv4)

protocol: CIPSO, DOI = 3

domain: DEFAULT (IPv6)

protocol: UNLABELED

# cat /smack/ambient

_

# cat /proc/$$/attr/smack/current

_

# ping -c1 10.1.95.12

64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms

# echo foo >/proc/$$/attr/smack/current

# ping -c1 10.1.95.12

64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms

unknown option 86

# echo 4 >/smack/doi

# echo 3 >/smack/doi

!> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17

# echo 3 >/smack/doi

!> [ 249.402261] smk_cipso_doi:678 remove rc = -2

!> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17

# ping -c1 10.1.95.12

!!> ping: 10.1.95.12: Address family for hostname not supported

# echo _ >/proc/$$/attr/smack/current

# ping -c1 10.1.95.12

64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms

This happens because Smack keeps decommissioned DOIs,

fails to re-add them, and consequently refuses to add

the “default” domain map:

# netlabelctl -p cipso list

Configured CIPSO mappings (2)

DOI value : 3

mapping type : PASS_THROUGH

DOI value : 4

mapping type : PASS_THROUGH

# netlabelctl -p map list

Configured NetLabel domain mappings (2)

domain: "_" (IPv4)

protocol: UNLABELED

!> (no ipv4 map for default domain here)

domain: DEFAULT (IPv6)

protocol: UNLABELED

Fix by clearing decommissioned DOI definitions and

serializing concurrent DOI updates with a new lock.

Also:

- allow /smack/doi to live unconfigured, since

adding a map (netlbl_cfg_cipsov4_map_add) may fail.

CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI

- add new DOI before removing the old default map,

so the old map remains if the add fails

(2008-02-04, Casey Schaufler)

NVD Source

Technical Analysis

CVE-2025-71304 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2025-71304
SeverityNONE
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2025-71304 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.