The vulnerability arises when the Linux kernel’s nx crypto module allocates bounce buffers using a 4‑page order but releases them with free_page(), which frees only a single page. This mismatch causes the remaining pages of the buffer to remain allocated, resulting in a memory leak that can gradually exhaust system memory. The bug does not provide direct code execution or privilege escalation, but the accumulation of leaked memory can degrade system performance or force a reboot, effectively creating a denial‑of‑service condition. The weakness is a classic resource‑management flaw.

The flaw affects all Linux installations that use the nx crypto module; specifically, any kernel that compiles the nx842_crypto implementation. The CPE string indicates all versions of the Linux kernel are potentially affected until the patch is applied. No specific vendor or product version limits are listed, so any distribution running kernel code that includes this module is at risk.

The CVSS score is not provided, and the EPSS score is unavailable, suggesting the exploitation likelihood is unknown but potentially low because the bug requires kernel execution. The flaw is not listed in CISA’s KEV catalog, indicating it has not been widely observed or exploited publicly. However, because the bug requires modifying kernel memory, it is limited to privileged users or an attacker who can execute code in kernel mode. Consequently, the primary risk is the potential for memory exhaustion leading to service disruption rather than an immediate compromise of confidentiality or integrity.