A null pointer dereference can occur when the kernel function try_to_free_buffers() attempts to free buffers for a folio that has none attached. The flaw is triggered by calling filemap_release_folio() on a folio belonging to a mapping set with AS_RELEASE_ALWAYS while the mapping lacks a defined release_folio operation. In this situation, folio_needs_release() incorrectly indicates that a release is required, and drop_buffers() is invoked with a folio that holds no buffer data, causing the kernel to dereference a null pointer and crash. The defences added by the patch return immediately and emit a WARN_ON_ONCE to signal the misconfiguration, but the vulnerability still exists in versions that have not been patched.

The vulnerability affects all versions of the Linux kernel that were released before the commit adding the null‑pointer check was merged. Every kernel based on those releases contains the problematic try_to_free_buffers() logic. Systems running a kernel that has not yet been updated to include the safety guard are vulnerable. No specific distribution is required for the flaw; any distribution that ships the affected kernel version is impacted.

The flaw can lead to an uncontrollable kernel panic, effectively performing a local denial of service. Based on the description, it is inferred that the exploit requires the attacker to be able to invoke the folio release path, most likely through privileged code or a compromised kernel module, meaning that kernel or root privileges are needed. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but the potential for a critical kernel panic suggests a high CVSS base score in the absence of an official metric. The risk is elevated for systems that still use older kernel versions or have implemented custom FOLIO mappings with the AS_RELEASE_ALWAYS flag without ensuring a release_folio callback.