Impact
The MPRLS0025PA driver in the Industrial I/O subsystem was found to use a spi_transfer structure without fully zero‑initializing it before use. The CVE report states that the fix ensures the struct is zeroed out prior to use. This omission could result in unintended data being transmitted over the SPI bus, causing driver instability or abnormal behavior, though the exact impact is not explicitly stated in the description.
Affected Systems
All Linux kernel builds that include the MPRLS0025PA driver before the commit that applied this zero‑initialization fix are affected. The driver is part of the default kernel source, so any distribution shipping an unpatched kernel version is at risk. Both generic kernel images and custom configurations that enable this driver would be impacted.
Risk and Exploitability
The CVSS score is 8.4, indicating high severity. The EPSS shows a very low exploitation probability (<1%). The vulnerability is not listed in the CISA KEV catalog, indicating it is not a known exploited vulnerability. Likely, the attack vector would involve local or privileged access to the SPI device and interaction with the driver. No public exploit is documented, and the impact is believed to be driver instability or abnormal behavior rather than privilege escalation. Nonetheless, the high severity warrants prompt remediation.
OpenCVE Enrichment