The flaw exists in the Linux kernel’s thermal core subsystem. When a thermal governor is added to a thermal zone and the subsequent device registration fails, the governor is not removed, causing a memory leak. In addition, the unregistration routine calls thermal_set_governor() without holding the thermal zone lock, which can race with concurrent sysfs updates and lead to a use‑after‑free. The vulnerable code paths give a local attacker with sufficient privileges the opportunity to crash the kernel, corrupt memory, or potentially execute arbitrary code if the freed object can be reused maliciously.

All Linux kernel builds that ship the thermal core subsystem and have not incorporated the commits referenced in the advisory are affected. The fix is present in the commits linked above, so any kernel newer than those points is protected. Systems running unpatched Linux kernels of any vendor that include the thermal subsystem are at risk.

Based on the description, the likely attack vector is local privilege escalation via the sysfs thermal interface. The CVSS score is not provided and EPSS is unavailable, but the absence of a remote exploitation path combined with the kernel‑level impact suggests a moderate‑to‑high risk. The vulnerability is not listed in the CISA KEV catalog and no public exploit is known, however the use‑after‑free could allow code execution if an attacker can arrange the race condition or provoke the failure path.