Linux Kernel SLUB Defer_Free Use-After-Free via MTE Tag Mismatch
CVE-2025-71110 Published on January 14, 2026
mm/slub: reset KASAN tag in defer_free() before accessing freed memory
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: reset KASAN tag in defer_free() before accessing freed memory
When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free()
before defer_free(). On ARM64 with MTE (Memory Tagging Extension),
kasan_slab_free() poisons the memory and changes the tag from the
original (e.g., 0xf3) to a poison tag (0xfe).
When defer_free() then tries to write to the freed object to build the
deferred free list via llist_add(), the pointer still has the old tag,
causing a tag mismatch and triggering a KASAN use-after-free report:
BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537
Write at addr f3f000000854f020 by task kworker/u8:6/983
Pointer tag: [f3], memory tag: [fe]
Fix this by calling kasan_reset_tag() before accessing the freed memory.
This is safe because defer_free() is part of the allocator itself and is
expected to manipulate freed memory for bookkeeping purposes.
Products Associated with CVE-2025-71110
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version af92793e52c3a99b828ed4bdd277fd3e11c18d08 and below 65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d is affected.
- Version af92793e52c3a99b828ed4bdd277fd3e11c18d08 and below 53ca00a19d345197a37a1bf552e8d1e7b091666c is affected.
- Version 6.18 is affected.
- Before 6.18 is unaffected.
- Version 6.18.3, <= 6.18.* is unaffected.
- Version 6.19, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.