What is CVE-2025-71070?

CVE-2025-71070 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.14.6 onward and patched in 6.18.3 and 6.19. CVE-2025-71070 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-71070?

CVE-2025-71070 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-71070?

Yes, CVE-2025-71070 has been patched. Fixed versions include 6.18.3 and 6.19. If you are running Linux kernel 6.14.6 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-71070 actively exploited?

CVE-2025-71070 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-71070

In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify aborting ublk request"), __ublk_fail_req() would decrement the reference count before completing the failed request. However, that commit optimized __ublk_fail_req() to call __ublk_complete_rq() directly without decrementing the request reference count. The leaked reference count incorrectly allows user copy and zero copy operations on the completed ublk request. It also triggers the WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit() and ublk_deinit_queue(). Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk char dev is closed") already fixed the issue for ublk devices using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference count leak also affects UBLK_F_USER_COPY, the other reference-counted data copy mode. Fix the condition in ublk_check_and_reset_active_ref() to include all reference-counted data copy modes. This ensures that any ublk requests still owned by the ublk server when it exits have their reference counts reset to 0.

Package Linux Kernel

Published 2026-01-13

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.14.6, 6.15 and later are affected. Fixed in 6.18.3, 6.19 and their respective stable series.

Affected from

≥ 6.14.6 ≥ 6.15

Fixed in

✓ 6.18.3 6.18.x ✓ 6.19

References

The following references provide additional information about CVE-2025-71070 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6
Patch
Kernel patch commit
https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c
Patch

Frequently asked questions

What is CVE-2025-71070?

CVE-2025-71070 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.14.6 onward and has been patched in 6.18.3 and 6.19. CVE-2025-71070 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-71070?

Yes — CVE-2025-71070 has been patched. Fixed versions include 6.18.3 and 6.19. If you are running Linux kernel 6.14.6 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-71070 actively exploited?

No — CVE-2025-71070 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.