The kernel vulnerability originates from the ena network driver in the Linux kernel, where an assertion lock warning occurs when the driver initialization function devl_param_driverinit_value_set() is called without holding the required lock. Based on the description, this missing synchronization can lead to a race condition that may corrupt shared data structures within the kernel and result in a kernel panic or corrupted network state. The weakness aligns with CWE‑362, which describes concurrent execution without proper locking. The exact exploitation path is not explicitly detailed; it is inferred that a local attacker manipulating devlink parameters could trigger the race and potentially cause a denial‑of‑service or a crash that undermines system stability.

Affected products are Linux kernel implementations. No specific kernel release is listed as vulnerable, but the issue appears in recent kernel sources such as the 6.19.x series and earlier. Users of Amazon EC2 instances running kernel variants that include the ena driver may be impacted if the driver is compiled without the missing lock fix.

The CVSS score of 7.0 denotes a medium‑to‑high severity. The EPSS probability is under 1 %, suggesting a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to trigger the race condition by manipulating devlink parameters, typically requiring local privilege or a compromised kernel module. The likely attack vector is inferred to be local privilege or a compromised kernel module, as the description does not explicitly state the vector. If executed, the flaw can lead to kernel crashes and denial of service, impacting availability and potentially allowing privilege escalation if an attacker can abuse corrupted kernel state.