The vulnerability results from concurrent manipulation of the kernel list ‘mfd_of_node_list’ without proper mutual exclusion, creating a race condition that can cause a kernel crash. An attacker would need the capability to orchestrate concurrent accesses to the kernel, which typically requires elevated privileges or a trusted kernel module. The likely attack vector is a local or privileged attacker using a device driver or custom module to manipulate the list in a way that triggers the race and crashes the kernel.

Any Linux kernel that contains the multi‑function device subsystem without the new locking will be vulnerable. The data does not list precise versions, so we infer that all kernels released before the commit adding the mutex are at risk, including older distributions and custom builds that have not applied the patch.

The CVSS score of 5.5 indicates a moderate impact on availability, and the EPSS score of <1% indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying it has not yet been targeted by widely available exploits. The likely attack vector involves a local or privileged attacker leveraging a driver or custom kernel module to manipulate the ‘mfd_of_node_list’; this inference is based on the requirement for kernel‑level manipulation. While no public exploit is documented, the presence of the race condition means a kernel crash can occur relatively easily given sufficient privileges. Thus the risk is considered moderate overall.