The vulnerability resides in the Linux kernel’s regmap maple subsystem. When regcache_maple_write allocates a new mapping entry to merge adjacent ranges and writes it through mas_store_gfp, a failure of mas_store_gfp leaves the newly allocated entry in memory. The entry is never freed, creating a memory leak. According to the CVE description, the failure path does not release the entry, while the success path correctly frees neighboring blocks. This defect is a classic example of a resource exhaustion issue (CWE-401). It could lead to gradual growth of memory usage in systems that frequently perform regcache maple writes, potentially impacting stability or availability if the leaked memory drains the system’s memory pool.

The flaw affects kernel code distributed by the Linux kernel project. The known CNA vendors list includes "Linux:Linux" twice, indicating that any system running a kernel version that incorporates the affected regmap maple code could be impacted. Specific product or version information is not provided in the known CNA affected version field, so users must ascertain whether their kernel source or distribution contains the unpatched code.

The CVSS score is 5.5, indicating moderate severity. An EPSS score of 0.00023 (much less than 1%) suggests a very low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation. The risk primarily stems from cumulative memory leakage rather than an immediate remote code execution vector. Attackers would likely need to continuously trigger regcache maple writes to exhaust memory, which is more of a denial‑of‑service scenario than an exploit for privilege escalation or confidentiality breaches.