Impact
On Xtensa targets that enable userspace and the Xtensa MMU, the de‑initialization routine for memory domains fails to remove the domain’s list node from a global list. When a deinitialised domain is later freed or reused, kernel mapping and paging operations traverse this stale node, dereferencing a NULL pointer or a stale page‑table address. This produces a fatal MMU exception that crashes the system and, if the freed memory has been repurposed, results in page‑table corruption that can compromise userspace isolation by allowing unauthorized memory access within the kernel’s address space.
Affected Systems
The issue appears in Zephyr v4.4.0 on Xtensa CPUs when both CONFIG_USERSPACE and CONFIG_XTENSA_MMU are enabled. It was introduced in commit 3032b58f52d and shipped with v4.4.0. The mainline pull request that adds sys_slist_find_and_remove in arch_mem_domain_deinit() removes the dangling node and resolves the flaw. The Xtensa MPU path is unaffected.
Risk and Exploitability
The CVSS score of 6.3 indicates a moderate severity for this flaw. The EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA KEV, so no publicly known exploits exist. The code path is reachable only from privileged kernel or supervisor code; unprivileged user threads and remote attackers have no direct access to trigger the flaw.
OpenCVE Enrichment