smack: /smack/doi: accept previously used values
Summary
| CVE | CVE-2025-71304 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-27 14:16:42 UTC |
| Updated | 2026-05-27 14:48:31 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: smack: /smack/doi: accept previously used values Writing to /smack/doi a value that has ever been written there in the past disables networking for non-ambient labels. E.g. # cat /smack/doi 3 # netlabelctl -p cipso list Configured CIPSO mappings (1) DOI value : 3 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (3) domain: "_" (IPv4) protocol: UNLABELED domain: DEFAULT (IPv4) protocol: CIPSO, DOI = 3 domain: DEFAULT (IPv6) protocol: UNLABELED # cat /smack/ambient _ # cat /proc/$$/attr/smack/current _ # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms # echo foo >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms unknown option 86 # echo 4 >/smack/doi # echo 3 >/smack/doi !> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17 # echo 3 >/smack/doi !> [ 249.402261] smk_cipso_doi:678 remove rc = -2 !> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17 # ping -c1 10.1.95.12 !!> ping: 10.1.95.12: Address family for hostname not supported # echo _ >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms This happens because Smack keeps decommissioned DOIs, fails to re-add them, and consequently refuses to add the “default” domain map: # netlabelctl -p cipso list Configured CIPSO mappings (2) DOI value : 3 mapping type : PASS_THROUGH DOI value : 4 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (2) domain: "_" (IPv4) protocol: UNLABELED !> (no ipv4 map for default domain here) domain: DEFAULT (IPv6) protocol: UNLABELED Fix by clearing decommissioned DOI definitions and serializing concurrent DOI updates with a new lock. Also: - allow /smack/doi to live unconfigured, since adding a map (netlbl_cfg_cipsov4_map_add) may fail. CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI - add new DOI before removing the old default map, so the old map remains if the add fails (2008-02-04, Casey Schaufler) |
Risk And Classification
EPSS: 0.000240000 probability, percentile 0.073320000 (date 2026-06-01)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected e114e473771c848c3cfec05f0123e70f1cdbdc99 eb718a3c8181ada679340db34cd61bce48e44749 git | Not specified |
| CNA | Linux | Linux | affected e114e473771c848c3cfec05f0123e70f1cdbdc99 6ec091c5c7eeabd249a7c46813cad1e9f555f859 git | Not specified |
| CNA | Linux | Linux | affected e114e473771c848c3cfec05f0123e70f1cdbdc99 199452f22d2f74b897fe826f81ec402b0a8461a0 git | Not specified |
| CNA | Linux | Linux | affected e114e473771c848c3cfec05f0123e70f1cdbdc99 1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3 git | Not specified |
| CNA | Linux | Linux | affected e114e473771c848c3cfec05f0123e70f1cdbdc99 f8071500177f38cff38892bd85ac631cc6e010b2 git | Not specified |
| CNA | Linux | Linux | affected e114e473771c848c3cfec05f0123e70f1cdbdc99 5a247a84de0ba44edbbd6be851c8a6b2aa60ff85 git | Not specified |
| CNA | Linux | Linux | affected e114e473771c848c3cfec05f0123e70f1cdbdc99 8beebb8ad9a003f978e53b06237986588223e15e git | Not specified |
| CNA | Linux | Linux | affected e114e473771c848c3cfec05f0123e70f1cdbdc99 33d589ed60ae433b483761987b85e0d24e54584e git | Not specified |
| CNA | Linux | Linux | affected 2.6.25 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.25 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.252 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.202 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.165 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.128 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.75 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.14 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.4 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/f8071500177f38cff38892bd85ac631cc6e010b2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/eb718a3c8181ada679340db34cd61bce48e44749 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/199452f22d2f74b897fe826f81ec402b0a8461a0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/6ec091c5c7eeabd249a7c46813cad1e9f555f859 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/5a247a84de0ba44edbbd6be851c8a6b2aa60ff85 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/33d589ed60ae433b483761987b85e0d24e54584e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/8beebb8ad9a003f978e53b06237986588223e15e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.