Linux Kernel ETS Scheduler Race Condition Enables Local Privilege Escalation (CVE-2025-71066)
A race condition in the Linux kernel's ETS scheduler (CVE-2025-71066) allows local attackers to escalate privileges to kernel-level code execution, with a patch now available.
A newly disclosed vulnerability in the Linux kernel, tracked as CVE-2025-71066, exposes systems to local privilege escalation attacks. The flaw, reported by security researcher Maher Azzouzi (@maherazz2), resides in the kernel's ETS (Earliest TxTime Scheduler) Qdisc handling and stems from improper locking when performing operations on Qdisc objects. An attacker who first obtains the ability to execute high-privileged code on a target system can exploit this race condition to escalate privileges and execute arbitrary code in the context of the kernel, effectively gaining full control over the compromised machine.
The vulnerability was reported to the Linux kernel security team on November 18, 2025, and a coordinated public advisory was released on April 15, 2026, by the Zero Day Initiative (ZDI-26-26-289). The issue carries a CVSS score of 7.5, with a vector string of AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating that while the attack requires high privileges and high privileges and is complex to execute, a successful exploit can lead to a complete compromise of confidentiality, integrity, and availability impact across a compromised system's scope.
Linux has already issued a patch to correct the vulnerability. The fix is available via the kernel's netdev mailing list at this link. System administrators are strongly advised to apply the update as soon as possible, particularly on systems where untrusted users have high-privilege access or where kernel hardening is critical.
This vulnerability highlights the ongoing challenge of race conditions in kernel subsystems, particularly in networking code where concurrent access to shared objects is common. The ETS scheduler is used in advanced traffic control configurations, making this flaw relevant to servers, network appliances, and embedded systems running custom Linux kernels.
While no active exploitation in the wild has been reported as of the advisory date, the availability of a public advisory and the detailed disclosure timeline increase the risk of reverse engineering and exploit development. Organizations should prioritize patching and monitor for any signs of local privilege escalation attempts.
The disclosure follows a broader pattern of kernel-level vulnerabilities being responsibly reported and patched, underscoring the importance of coordinated efforts between researchers and the Linux kernel community to maintain security. Users are encouraged to stay updated with the latest kernel releases and security advisories.