Incomplete Internal State Distinction Affecting perf-debuginfo package, versions <1:6.1.166-197.305.amzn2023


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.16% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2023-PERFDEBUGINFO-17408842
  • published23 Jun 2026
  • disclosed27 May 2026

Introduced: 27 May 2026

CVE-2025-71304  (opens in a new tab)
CWE-372  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 perf-debuginfo to version 1:6.1.166-197.305.amzn2023 or higher.
This issue was patched in ALAS2023-2026-1544.

NVD Description

Note: Versions mentioned in the description apply only to the upstream perf-debuginfo package and not the perf-debuginfo package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

smack: /smack/doi: accept previously used values

Writing to /smack/doi a value that has ever been written there in the past disables networking for non-ambient labels. E.g.

# cat /smack/doi
3
# netlabelctl -p cipso list
Configured CIPSO mappings (1)
 DOI value : 3
   mapping type : PASS_THROUGH
# netlabelctl -p map list
Configured NetLabel domain mappings (3)
 domain: &#34;_&#34; (IPv4)
   protocol: UNLABELED
 domain: DEFAULT (IPv4)
   protocol: CIPSO, DOI = 3
 domain: DEFAULT (IPv6)
   protocol: UNLABELED

cat /smack/ambient

_

cat /proc/$$/attr/smack/current

_

ping -c1 10.1.95.12

64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms

echo foo &gt;/proc/$$/attr/smack/current

ping -c1 10.1.95.12

64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms unknown option 86

echo 4 &gt;/smack/doi

echo 3 &gt;/smack/doi

!> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17 # echo 3 >/smack/doi !> [ 249.402261] smk_cipso_doi:678 remove rc = -2 !> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17

# ping -c1 10.1.95.12

!!> ping: 10.1.95.12: Address family for hostname not supported

# echo _ &gt;/proc/$$/attr/smack/current
# ping -c1 10.1.95.12
64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms

This happens because Smack keeps decommissioned DOIs, fails to re-add them, and consequently refuses to add the “default” domain map:

# netlabelctl -p cipso list
Configured CIPSO mappings (2)
 DOI value : 3
   mapping type : PASS_THROUGH
 DOI value : 4
   mapping type : PASS_THROUGH
# netlabelctl -p map list
Configured NetLabel domain mappings (2)
 domain: &#34;_&#34; (IPv4)
   protocol: UNLABELED

!> (no ipv4 map for default domain here) domain: DEFAULT (IPv6) protocol: UNLABELED

Fix by clearing decommissioned DOI definitions and serializing concurrent DOI updates with a new lock.

Also:

  • allow /smack/doi to live unconfigured, since adding a map (netlbl_cfg_cipsov4_map_add) may fail. CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI
  • add new DOI before removing the old default map, so the old map remains if the add fails

(2008-02-04, Casey Schaufler)

CVSS Base Scores

version 3.1