CVE-2025-71110
- Source
- https://cve.org/CVERecord?id=CVE-2025-71110
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71110.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-71110
- Downstream
- Published
- 2026-01-14T15:05:57.952Z
- Modified
- 2026-04-02T13:04:49.284292Z
- Summary
- mm/slub: reset KASAN tag in defer_free() before accessing freed memory
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: reset KASAN tag in defer_free() before accessing freed memory
When CONFIGSLUBTINY is enabled, kfreenolock() calls kasanslabfree() before deferfree(). On ARM64 with MTE (Memory Tagging Extension), kasanslabfree() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe).
When deferfree() then tries to write to the freed object to build the deferred free list via llistadd(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report:
BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe]
Fix this by calling kasanresettag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71110.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c
- https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71110.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-71110
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git