Impact
The flaw exists in the Linux kernel’s checkpoint/restore sysctl request which supplies a desired next SysV IPC identifier. The kernel forwards that value to idr_alloc() without an upper bound. If the IPC tail is already full, idr_alloc() can allocate an entry beyond the valid ipc_mni limit. The new object ID is encoded with a narrower IPC index width. Subsequent removal logic truncates the real IDR index, leaving a dangling IDR slot that points to freed kernel memory, producing a use‑after‑free condition that could be exploited to trigger a kernel crash or arbitrary code execution, thereby providing local privilege escalation.
Affected Systems
All systems running a Linux kernel that includes the checkpoint/restore feature (normally built with CONFIG_CHECKPOINT_RESTORE) are potentially affected. No specific kernel versions are listed, so every distribution that compiles this feature is in scope unless it has been removed or the feature is disabled.
Risk and Exploitability
The vulnerability carries a CVSS score of 7.8, indicating a high severity. EPSS is less than 1%, suggesting a very low likelihood of exploitation in the wild. The flaw is not yet listed in the CISA KEV catalog. Attackers need local access and the ability to influence the checkpoint/restore sysctl path; the feature is not enabled by default on many distros, which mitigates exposure. Nevertheless, the potential impact of a successful exploit—kernel crash or privilege escalation—remains significant for exposed systems.
OpenCVE Enrichment
Debian DLA