Linux Kernel ETS Scheduler Race Condition (CVE‑2025‑71066) Enables Local Privilege Escalation
What It Is – A race‑condition flaw in the Linux kernel’s Ethernet Traffic Scheduler (ETS) Qdisc handling allows a local attacker to gain kernel‑level privileges. The bug stems from missing locking around Qdisc object operations.
Exploitability – No public exploit has been observed; proof‑of‑concept code is available in the advisory. CVSS 7.5 (High) – AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H.
Affected Products – All Linux distributions that ship the affected kernel version (the vulnerability is kernel‑wide, not vendor‑specific).
TPRM Impact – Any third‑party service that runs Linux‑based workloads (cloud hosts, SaaS platforms, managed service providers) could see a compromised host used to pivot, exfiltrate data, or disrupt services, creating a supply‑chain risk.
Recommended Actions –
- Verify kernel version; apply the patch released by the Linux kernel maintainers immediately.
- Re‑image or reboot affected systems to ensure the patched kernel is loaded.
- Review audit logs for unexpected privileged activity post‑patch.
- For managed‑service contracts, request proof of patch deployment from providers.
- Update internal hardening baselines to include the ETS scheduler in future vulnerability‑scanning rules.