CVE-2025-71304 - Vulnerability Details

- smack: /smack/doi: accept previously used values

Description

In the Linux kernel, the following vulnerability has been resolved:

smack: /smack/doi: accept previously used values

Writing to /smack/doi a value that has ever been
written there in the past disables networking for
non-ambient labels.
E.g.

# cat /smack/doi
3
# netlabelctl -p cipso list
Configured CIPSO mappings (1)
DOI value : 3
mapping type : PASS_THROUGH
# netlabelctl -p map list
Configured NetLabel domain mappings (3)
domain: "_" (IPv4)
protocol: UNLABELED
domain: DEFAULT (IPv4)
protocol: CIPSO, DOI = 3
domain: DEFAULT (IPv6)
protocol: UNLABELED

# cat /smack/ambient
_
# cat /proc/$$/attr/smack/current
_
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms
# echo foo >/proc/$$/attr/smack/current
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms
unknown option 86

# echo 4 >/smack/doi
# echo 3 >/smack/doi
!> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17
# echo 3 >/smack/doi
!> [ 249.402261] smk_cipso_doi:678 remove rc = -2
!> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17

# ping -c1 10.1.95.12
!!> ping: 10.1.95.12: Address family for hostname not supported

# echo _ >/proc/$$/attr/smack/current
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms

This happens because Smack keeps decommissioned DOIs,
fails to re-add them, and consequently refuses to add
the “default” domain map:

# netlabelctl -p cipso list
Configured CIPSO mappings (2)
DOI value : 3
mapping type : PASS_THROUGH
DOI value : 4
mapping type : PASS_THROUGH
# netlabelctl -p map list
Configured NetLabel domain mappings (2)
domain: "_" (IPv4)
protocol: UNLABELED
!> (no ipv4 map for default domain here)
domain: DEFAULT (IPv6)
protocol: UNLABELED

Fix by clearing decommissioned DOI definitions and
serializing concurrent DOI updates with a new lock.

Also:
- allow /smack/doi to live unconfigured, since
adding a map (netlbl_cfg_cipsov4_map_add) may fail.
CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI
- add new DOI before removing the old default map,
so the old map remains if the add fails

(2008-02-04, Casey Schaufler)

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s Smack security module incorrectly accepts a DOI value that has been used in the past. When such a previously used value is written to the /smack/doi file, Smack fails to re‑add the corresponding DOI mapping and the default domain map is removed from the kernel’s configuration. With the default map missing, the kernel refuses to create new network labels for non‑ambient traffic and any network operation that relies on these labels is rejected. This manifests as a loss of networking functionality for affected processes, effectively denying network service.

Affected Systems

All Linux kernel‑based systems that employ the Smack label mechanism are impacted. The flaw is tied to the kernel’s handling of /smack/doi rather than a distribution or specific kernel version, so any system that configures or updates DOI values and has not applied the documented kernel patch is susceptible.

Risk and Exploitability

Exploitation requires the ability to write to /smack/doi, which typically demands elevated privileges, but local users with sufficient rights may trigger it. The EPSS score is unavailable and the vulnerability is not in the CISA KEV catalog, but the potential to disable networking on a host means the impact is significant until the kernel is patched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e114e473771c848c3cfec05f0123e70f1cdbdc99`	affected	< eb718a3c8181ada679340db34cd61bce48e44749
`e114e473771c848c3cfec05f0123e70f1cdbdc99`	affected	< 6ec091c5c7eeabd249a7c46813cad1e9f555f859
`e114e473771c848c3cfec05f0123e70f1cdbdc99`	affected	< 199452f22d2f74b897fe826f81ec402b0a8461a0
`e114e473771c848c3cfec05f0123e70f1cdbdc99`	affected	< 1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3
`e114e473771c848c3cfec05f0123e70f1cdbdc99`	affected	< f8071500177f38cff38892bd85ac631cc6e010b2
`e114e473771c848c3cfec05f0123e70f1cdbdc99`	affected	< 5a247a84de0ba44edbbd6be851c8a6b2aa60ff85
`e114e473771c848c3cfec05f0123e70f1cdbdc99`	affected	< 8beebb8ad9a003f978e53b06237986588223e15e
`e114e473771c848c3cfec05f0123e70f1cdbdc99`	affected	< 33d589ed60ae433b483761987b85e0d24e54584e

Linux

affected

Version	Status	Constraints
`2.6.25`	affected	—
`0`	unaffected	< 2.6.25
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e114e473771c848c3cfec05f0123e70f1cdbdc99,eb718a3c8181ada679340db34cd61bce48e44749)`	affected	code_commit	—
`[e114e473771c848c3cfec05f0123e70f1cdbdc99,6ec091c5c7eeabd249a7c46813cad1e9f555f859)`	affected	code_commit	—
`[e114e473771c848c3cfec05f0123e70f1cdbdc99,199452f22d2f74b897fe826f81ec402b0a8461a0)`	affected	code_commit	—
`[e114e473771c848c3cfec05f0123e70f1cdbdc99,1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3)`	affected	code_commit	—
`[e114e473771c848c3cfec05f0123e70f1cdbdc99,33d589ed60ae433b483761987b85e0d24e54584e)`	affected	code_commit	—
`[e114e473771c848c3cfec05f0123e70f1cdbdc99,5a247a84de0ba44edbbd6be851c8a6b2aa60ff85)`	affected	code_commit	—
`[e114e473771c848c3cfec05f0123e70f1cdbdc99,8beebb8ad9a003f978e53b06237986588223e15e)`	affected	code_commit	—
`[e114e473771c848c3cfec05f0123e70f1cdbdc99,f8071500177f38cff38892bd85ac631cc6e010b2)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.25`	affected	semver	—
`[0,2.6.25)`	unaffected	semver	—
`[5.10.252,5.10.*]`	unaffected	generic	—
`[5.15.202,5.15.*]`	unaffected	generic	—
`[6.1.165,6.1.*]`	unaffected	generic	—
`[6.6.128,6.6.*]`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install a Linux kernel version that includes the Smack DOI fix
Until a kernel update is available, avoid modifying /smack/doi or reset it to a known good value before applying new mappings
If scripts or tools modify /smack/doi, add proper locking and verify the assignment succeeds before removing the previous mapping

Generated by OpenCVE AI on May 27, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/199452f22d2f74b897fe826f81ec402b0a8461a0
https://git.kernel.org/stable/c/1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3
https://git.kernel.org/stable/c/33d589ed60ae433b483761987b85e0d24e54584e
https://git.kernel.org/stable/c/5a247a84de0ba44edbbd6be851c8a6b2aa60ff85
https://git.kernel.org/stable/c/6ec091c5c7eeabd249a7c46813cad1e9f555f859
https://git.kernel.org/stable/c/8beebb8ad9a003f978e53b06237986588223e15e
https://git.kernel.org/stable/c/eb718a3c8181ada679340db34cd61bce48e44749
https://git.kernel.org/stable/c/f8071500177f38cff38892bd85ac631cc6e010b2

History

Wed, 27 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-703

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smack: /smack/doi: accept previously used values Writing to /smack/doi a value that has ever been written there in the past disables networking for non-ambient labels. E.g. # cat /smack/doi 3 # netlabelctl -p cipso list Configured CIPSO mappings (1) DOI value : 3 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (3) domain: "_" (IPv4) protocol: UNLABELED domain: DEFAULT (IPv4) protocol: CIPSO, DOI = 3 domain: DEFAULT (IPv6) protocol: UNLABELED # cat /smack/ambient _ # cat /proc/$$/attr/smack/current _ # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms # echo foo >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms unknown option 86 # echo 4 >/smack/doi # echo 3 >/smack/doi !> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17 # echo 3 >/smack/doi !> [ 249.402261] smk_cipso_doi:678 remove rc = -2 !> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17 # ping -c1 10.1.95.12 !!> ping: 10.1.95.12: Address family for hostname not supported # echo _ >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms This happens because Smack keeps decommissioned DOIs, fails to re-add them, and consequently refuses to add the “default” domain map: # netlabelctl -p cipso list Configured CIPSO mappings (2) DOI value : 3 mapping type : PASS_THROUGH DOI value : 4 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (2) domain: "_" (IPv4) protocol: UNLABELED !> (no ipv4 map for default domain here) domain: DEFAULT (IPv6) protocol: UNLABELED Fix by clearing decommissioned DOI definitions and serializing concurrent DOI updates with a new lock. Also: - allow /smack/doi to live unconfigured, since adding a map (netlbl_cfg_cipsov4_map_add) may fail. CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI - add new DOI before removing the old default map, so the old map remains if the add fails (2008-02-04, Casey Schaufler)
Title		smack: /smack/doi: accept previously used values
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/199452f22d2f74b897fe826f81ec402b0a8461a0 https://git.kernel.org/stable/c/1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3 https://git.kernel.org/stable/c/33d589ed60ae433b483761987b85e0d24e54584e https://git.kernel.org/stable/c/5a247a84de0ba44edbbd6be851c8a6b2aa60ff85 https://git.kernel.org/stable/c/6ec091c5c7eeabd249a7c46813cad1e9f555f859 https://git.kernel.org/stable/c/8beebb8ad9a003f978e53b06237986588223e15e https://git.kernel.org/stable/c/eb718a3c8181ada679340db34cd61bce48e44749 https://git.kernel.org/stable/c/f8071500177f38cff38892bd85ac631cc6e010b2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:14:53.289Z

Updated: 2026-05-27T12:14:53.289Z

Reserved: 2026-05-08T13:14:33.087Z

Link: CVE-2025-71304

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:42.850

Modified: 2026-05-27T14:48:31.480

Link: CVE-2025-71304

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T20:45:25Z

Weaknesses

CWE-703

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object