Impact
The vulnerability resides in the Linux kernel’s thermal core subsystem. When a thermal governor is added to a thermal zone and the subsequent device registration fails, the governor is not removed, resulting in a memory leak. Additionally, the unregistration routine calls thermal_set_governor() without acquiring the thermal zone lock, which can race with concurrent sysfs updates and lead to a use‑after‑free. These flaws create a kernel‑level weakness that could allow a privileged local attacker to crash the kernel or execute arbitrary code if the freed object is reused maliciously.
Affected Systems
All Linux kernel builds that ship the thermal core subsystem and have not incorporated the referenced commits are affected. The fix is present in the commits linked above, so any kernel newer than those points is protected. Systems running unpatched Linux kernels of any vendor that include the thermal subsystem are at risk.
Risk and Exploitability
Based on the description, the likely attack vector is local privilege escalation via the sysfs thermal interface. The CVSS score of 5.5 indicates a medium severity, and the EPSS score of < 1% suggests a very low probability of exploitation in the near term. The absence of a remote exploitation path combined with the kernel‑level impact denotes a moderate risk. The vulnerability is not listed in the CISA KEV catalog and no public exploit is known, yet the use‑after‑free could still allow code execution if an attacker can orchestrate the race condition or induce the failure path.
OpenCVE Enrichment
Debian DLA
Ubuntu USN