A use‑after‑free flaw exists in the error path of the Linux kernel’s mshv_map_user_memory() function. When the function calls vfree() on a memory region that still has an MMU notifier registered, the notifier remains active. If userspace later unmaps the memory, the notifier fires and touches the freed memory, causing a use‑after‑free and potentially a kernel panic. The flaw can be triggered by malformed hypervisor memory mapping requests and leads to a denial of service by crashing the kernel.

The vulnerability affects the Linux kernel in all versions that contain the buggy implementation of mshv_map_user_memory. The fix is present only after the patches released in the kernel commit referenced in the advisory. No specific version range is listed, so any kernel that has not yet been updated to include the fix remains potentially vulnerable.

The exploit probability is reported as less than 1 % according to EPSS, and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. However, once triggered, the impact is a complete system crash. The likely attack vector involves exploiting the hypervisor interface from userspace or privileged clients, requiring a successful call to mshv_map_user_memory with crafted parameters. Because the flaw resides in kernel memory management, no privilege escalation to arbitrary code execution is described; the primary risk is denial of service.