What is CVE-2025-71117?

CVE-2025-71117 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10, classified as a Improper Locking flaw (CWE-667), affecting Linux kernel versions from 6.11 onward and patched in 6.18.3 and 6.19. CVE-2025-71117 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-71117?

CVE-2025-71117 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2025-71117?

Yes, CVE-2025-71117 has been patched. Fixed versions include 6.18.3 and 6.19. If you are running Linux kernel 6.11 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-71117 actively exploited?

CVE-2025-71117 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Improper Locking (CWE-667)?

The product does not properly acquire or release a lock, which can lead to unexpected behaviour. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/667.html

CVE-2025-71117

Medium

In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing from several sysfs store callbacks Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system boot on systems where sysfs attributes are set synchronously. Fix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue() calls from the store callbacks that do not strictly need these callbacks. Add the __data_racy annotation to request_queue.rq_timeout to suppress KCSAN data race reports about the rq_timeout reads. This patch may cause a small delay in applying the new settings. For all the attributes affected by this patch, I/O will complete correctly whether the old or the new value of the attribute is used. This patch affects the following sysfs attributes: * io_poll_delay * io_timeout * nomerges * read_ahead_kb * rq_affinity Here is an example of a deadlock triggered by running test srp/002 if this patch is not applied: task:multipathd Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 schedule_preempt_disabled+0x1c/0x30 __mutex_lock+0xb89/0x1650 mutex_lock_nested+0x1f/0x30 dm_table_set_restrictions+0x823/0xdf0 __bind+0x166/0x590 dm_swap_table+0x2a7/0x490 do_resume+0x1b1/0x610 dev_suspend+0x55/0x1a0 ctl_ioctl+0x3a5/0x7e0 dm_ctl_ioctl+0x12/0x20 __x64_sys_ioctl+0x127/0x1a0 x64_sys_call+0xe2b/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> task:(udev-worker) Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 blk_mq_freeze_queue_wait+0xf2/0x140 blk_mq_freeze_queue_nomemsave+0x23/0x30 queue_ra_store+0x14e/0x290 queue_attr_store+0x23e/0x2c0 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3b2/0x630 vfs_write+0x4fd/0x1390 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x276/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>

Package Linux Kernel

Published 2026-01-14

Last modified 2026-03-25

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-667

CVE-2025-71117 is a Improper Locking vulnerability

What is Improper Locking?

The product does not properly acquire or release a lock, which can lead to unexpected behaviour. Learn more on MITRE CWE

Affected versions

Linux kernel versions 6.11 and later are affected. Fixed in 6.18.3, 6.19 and their respective stable series.

Affected from

≥ 6.11

Fixed in

✓ 6.18.3 6.18.x ✓ 6.19

References

The following references provide additional information about CVE-2025-71117 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/3997b3147c7b68b0308378fa95a766015f8ceb1c
Patch
Kernel patch commit
https://git.kernel.org/stable/c/935a20d1bebf6236076785fac3ff81e3931834e9
Patch

Details

CVE ID CVE-2025-71117

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2026-01-14

Modified 2026-03-25

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2025-71117?

CVE-2025-71117 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 , classified as an Improper Locking flaw (CWE-667) . It affects Linux kernel versions from 6.11 onward and has been patched in 6.18.3 and 6.19. CVE-2025-71117 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2025-71117?

CVE-2025-71117 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2025-71117?

Yes — CVE-2025-71117 has been patched. Fixed versions include 6.18.3 and 6.19. If you are running Linux kernel 6.11 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-71117 actively exploited?

No — CVE-2025-71117 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Improper Locking (CWE-667)?

The product does not properly acquire or release a lock, which can lead to unexpected behaviour. View CWE-667 on MITRE CWE →