Impact
The cleanup path in memfd_luo expects a physical address but receives a raw PFN, causing kho_restore_page() to compute an incorrect physical address. Additionally the loop lacks a guard that checks for a zero PFN, so sparse file holes could be processed with a pfn equal to zero. This mismatch can lead to the kernel accessing invalid memory, potentially corrupting kernel data or causing a crash.
Affected Systems
All Linux kernel builds that include the unpatched memfd_luo implementation are affected. The CPE list indicates any Linux kernel variant; no specific kernel version is mentioned in the CVE data, so any system running a kernel without the fix commit is vulnerable.
Risk and Exploitability
The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The description indicates that if the memfd_luo cleanup path is executed, the kernel will restore a page using an incorrect physical address, which can corrupt kernel memory or cause a crash. The attack vector is not explicitly documented, but it is inferred to be reachable during normal use of memfd objects, so the risk centers on potential kernel instability rather than widespread exploitation.
OpenCVE Enrichment
Ubuntu USN