Impact
The vulnerability is a race condition between the Media‑2‑Media context release and the start of a job in the amphion driver, which can lead to a use‑after‑free and immediate kernel panic. The failure occurs when the framework frees a context while a job is about to call device_run, exposing an unreadable address and causing a denial of service. This falls under the CWE‑362 (Race Condition) and CWE‑364 (Use After Free) weaknesses.
Affected Systems
The flaw resides in the Linux kernel’s amphion media driver. All kernel builds that contain the amphion driver prior to the patch are affected; the specific kernel versions are not enumerated in the advisory, so any kernel version without the reported fix is potentially impacted.
Risk and Exploitability
EPSS indicates a very low exploitation probability (<1%), and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack requires a local user with the ability to submit media jobs through the v4l2 interface; no network interaction or elevated privileges are described. Still, the race can be triggered by a crafted sequence of calls, so the risk is considered high for systems that allow media job submission.
OpenCVE Enrichment
Debian DLA
Ubuntu USN