Impact
In the Linux kernel, the jitterentropy module serializes shared state by acquiring a spinlock that remains held during the entire jent_read_entropy() call, which performs heavy entropy collection and SHA3 conditioning. This causes any concurrent readers to spin on the lock, consuming CPU cycles and potentially stalling the system. The vulnerability does not introduce data disclosure or privilege escalation; its core impact is a resource exhaustion that can degrade system responsiveness.
Affected Systems
The vulnerable code resides in the Linux kernel's jitterentropy random-number generator. All kernel releases that contain this implementation prior to the recent patch – which replaces the spinlock with a mutex – are impacted. The patch is present in the mainline kernel as of the commit referenced above; distributions that have not yet applied the update remain vulnerable.
Risk and Exploitability
The CVSS score is 5.5, indicating a moderate severity. The EPSS score indicates less than 1% probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting there are no known exploits. Based on the description, it is inferred that an attacker would need local access to trigger frequent random-number generation. There is no explicit evidence that a remote attacker could exploit this weakness. The risk is a denial of service through high CPU usage and lock contention, with a low likelihood of exploitation under current public knowledge.
OpenCVE Enrichment