The usbtmc_release function in the Linux USB Test and Measurement Class driver fails to flush or kill pending anchored URBs. This omission creates a use‑after‑free condition that can corrupt kernel memory if a freed URB is later referenced during device teardown or the HCD giveback process. The flaw is a classic Use‑After‑Free (CWE‑416) and is also classified as Out‑of‑Band Notification of Resource Leak (CWE‑825) because anchored URBs are not completed before the device is released.

The CPE list in the advisory lists affected kernels for the 7.0 release candidates from rc1 through rc6. Exact affected versions are not enumerated beyond those RCs, so any Linux kernel that contains the usbtmc driver before the commit that added the clean‑up call is potentially vulnerable. Consequently, systems running an unpatched 7.0 RC kernel or any earlier kernel that does not include the fix commit are at risk. The advisory does not explicitly confirm whether earlier stable releases are affected, so that information remains uncertain.

The CVSS score of 7.8 indicates medium‑high severity, while an EPSS score of <1% implies a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local device attachment, inferred from the fact that the issue is triggered when a USBTMC device is released. An attacker who can physically connect a malicious USBTMC device can exploit the flaw by provoking usbtmc_release, leaving an anchored URB in a freed memory context and potentially causing a kernel panic or memory corruption. Because the description specifies that the problem occurs during device teardown, it is reasonable to infer a local, hardware‑based exploitation path.