The vulnerability resides in the Linux kernel’s CXL region handling code, where a failure on the first sysfs_update_group() call prevents the associated resource from being freed. This results in a memory resource leak that can accumulate over time and exhaust system memory, thereby disrupting normal operation of the kernel or other applications. The weakness is a classic memory leak (CWE-401) and a failure to release a resource after its effective lifetime (CWE-772).

All installations of the Linux kernel that include the cxl module are potentially affected, as the issue is logged in the core kernel source and applies to any kernel build before the inclusion of the fix commit. Specific distribution or version information is not provided, so any kernel release before the fix should be considered vulnerable.

With a CVSS score of 5.5, the severity is moderate; repeated or forced failures of sysfs_update_group() could lead to memory exhaustion and subsequent denial of service. The EPSS score of 0.00024 (<1%) and the fact that it is not listed in CISA’s KEV catalog indicate that the vulnerability has not been widely exploited in public attacks. The most likely attack vector involves an attacker who can trigger the failure condition on a system with active CXL devices or from a privileged context where sysfs updates can misbehave.