CVE-2025-71304
Awaiting Analysis Awaiting Analysis - Queue
Smack DOI Reuse Disables Networking in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: smack: /smack/doi: accept previously used values Writing to /smack/doi a value that has ever been written there in the past disables networking for non-ambient labels. E.g. # cat /smack/doi 3 # netlabelctl -p cipso list Configured CIPSO mappings (1) DOI value : 3 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (3) domain: "_" (IPv4) protocol: UNLABELED domain: DEFAULT (IPv4) protocol: CIPSO, DOI = 3 domain: DEFAULT (IPv6) protocol: UNLABELED # cat /smack/ambient _ # cat /proc/$$/attr/smack/current _ # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms # echo foo >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms unknown option 86 # echo 4 >/smack/doi # echo 3 >/smack/doi !> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17 # echo 3 >/smack/doi !> [ 249.402261] smk_cipso_doi:678 remove rc = -2 !> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17 # ping -c1 10.1.95.12 !!> ping: 10.1.95.12: Address family for hostname not supported # echo _ >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms This happens because Smack keeps decommissioned DOIs, fails to re-add them, and consequently refuses to add the β€œdefault” domain map: # netlabelctl -p cipso list Configured CIPSO mappings (2) DOI value : 3 mapping type : PASS_THROUGH DOI value : 4 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (2) domain: "_" (IPv4) protocol: UNLABELED !> (no ipv4 map for default domain here) domain: DEFAULT (IPv6) protocol: UNLABELED Fix by clearing decommissioned DOI definitions and serializing concurrent DOI updates with a new lock. Also: - allow /smack/doi to live unconfigured, since adding a map (netlbl_cfg_cipsov4_map_add) may fail. CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI - add new DOI before removing the old default map, so the old map remains if the add fails (2008-02-04, Casey Schaufler)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71304
EUVD
EUVD-2025-209968
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Smack security module, specifically related to the handling of the /smack/doi file. Writing a value to /smack/doi that has been previously used disables networking for non-ambient labels. This happens because Smack keeps track of decommissioned DOI (Domain of Interpretation) values but fails to re-add them properly, which causes the system to refuse adding the default domain map. As a result, network communication for certain security labels is broken.

The issue occurs when a DOI value that was once used is written again to /smack/doi, leading to errors in adding CIPSO (Common IP Security Option) mappings and removal of default domain mappings. This causes network operations like ping to fail with errors such as 'Address family for hostname not supported'. The fix involves clearing old DOI definitions and properly serializing DOI updates to prevent this failure.

Impact Analysis

This vulnerability can disrupt network functionality for processes running under non-ambient Smack labels by disabling networking capabilities. Specifically, if a previously used DOI value is written to /smack/doi, network communication such as pinging other hosts may fail with errors indicating unsupported address families.

This can lead to denial of network service for affected processes, potentially impacting applications or services relying on network connectivity under Smack's security labeling. It may cause unexpected network failures and hinder normal operation of networked applications.

Detection Guidance

This vulnerability can be detected by checking the current value of /smack/doi and observing the behavior of networking for non-ambient labels. Specifically, writing a previously used value to /smack/doi disables networking for non-ambient labels.

Commands to help detect the issue include:

  • cat /smack/doi - to check the current DOI value.
  • netlabelctl -p cipso list - to list configured CIPSO mappings.
  • netlabelctl -p map list - to list configured NetLabel domain mappings.
  • cat /smack/ambient - to check ambient label.
  • cat /proc/$$/attr/smack/current - to check the current Smack label of the running shell.

Additionally, testing network connectivity with ping (e.g., ping -c1 <IP_address>) before and after writing to /smack/doi can reveal if networking is disabled due to the vulnerability.

Mitigation Strategies

Immediate mitigation involves clearing decommissioned DOI definitions and ensuring that concurrent DOI updates are serialized with a new lock.

Additional steps include:

  • Allow /smack/doi to remain unconfigured, as adding a map may fail. The unconfigured DOI is indicated by CIPSO_V4_DOI_UNKNOWN(0).
  • Add the new DOI before removing the old default map to ensure the old map remains if the add fails.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71304. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart