The vulnerability involves a leak of the scatter‑gather table in the Linux kernel's io_uring/zcrx subsystem. When io_populate_area_dma() fails on architectures with 32‑bit page pools but 64‑bit DMA, the io_zcrx_map_area() function retains an initialized sgtable that is never freed because the !is_mapped guard prevents cleanup. This leak allows memory to be gradually consumed in the kernel, potentially leading to exhaustion and a denial of service. The weaknesses are a memory leak (CWE‑401) and unreleased resources (CWE‑772).

The issue affects any Linux distribution that includes the Linux kernel. Since the vulnerability was tied to io_uring in the kernel, all builds containing the io_uring implementation and the PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA configuration are impacted. No specific release versions are listed, so all affected kernels prior to the commit that introduced the fix are at risk.

The CVSS score is 5.5, indicating moderate severity. The EPSS score is < 1%, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation information. The attack vector is not explicitly documented; the failure occurs during io_uring area mapping, so an attacker would need to trigger this error path. In practice this may require local privileged code or malformed user input to an io_uring application, making the exploitability moderate but non‑trivial. The lack of public exploitation and absence from KEV imply that the risk is currently primarily theoretical, yet the kernel memory leak warrants timely patching.