mm/zone_device contains a use‑after‑free that is triggered when the kernel frees a device folio via ->folio_free() and subsequently re‑allocates it. The code path incorrectly touches the stale folio to retrieve the page mapping, thereby reading stale or corrupted data. This flaw is classified as CWE‑825 (Improper cleanup or resource release). A misused stale folio could lead to kernel memory corruption, leaking kernel contents or enabling a privilege escalation attack.

Any Linux kernel that includes the mm/zone_device folio handling code before the commit that introduced the safe stack variable is affected. The vulnerability is present in the core memory subsystem of every distribution that ships a buggy kernel, regardless of vendor. Linux distributions that have not yet incorporated the upstream fix—such as older or out‑of‑date kernel releases—fall under this category.

The CVSS score is not published, and there is no EPSS value, but the flaw is not listed in the CISA KEV catalog. The likely attack vector is a local or remote code that can influence driver allocation or memory ordering, such as a malicious kernel module or an application granted the ability to load a driver. Successful exploitation would require the attacker to trigger a re‑allocation at the exact address that has just been freed, allowing read or write of kernel memory. This presents a high risk for systems that allow untrusted drivers or users with elevated privileges to load custom modules, while isolated hardened kernels would have a lower probability of exploitation.