The flaw in the Linux kernel originates from an incorrect element length declaration in the qcom pd‑mapper function servreg_loc_pfr_req_ei. This mismatch with the reason field of servreg_loc_pfr_req results in a decoding error, noted as qmi_decode_string_elem: String len 81 >= Max Len 65, which triggers a PD crash. Based on the description, it is inferred that the attack relies on sending malformed PD messages that cause the decoding error.

All Linux kernel releases that incorporate the qcom pd‑mapper code before the commit that corrects the element length are potentially impacted. This includes the mainline kernel and all release candidates up to version 7.0‑rc7 shipped by any distribution that did not apply the patch. Updated kernel versions containing the patch are no longer affected.

The CVSS score of 5.5 indicates a moderate severity, while the EPSS score of <1% suggests a low probability of exploitation at present. The vulnerability does not provide remote code execution but can cause a kernel crash, which could be triggered from a local or privileged context that can send PD messages to the kernel. The likely attack vector is a local or system with privileges that can send PD messages; this inference arises from the fact that the crash is triggered by misformatted PD messages. It is not listed in CISA’s KEV catalog.