A use‑after‑free flaw was discovered in the DRM/external engine (XE) DMA buffer handling path of the Linux kernel. The bug occurs when a buffer object (bo) is freed during an error path, and the retry loop that relies on that freed object is unsafe. If an attacker can trigger the free condition, they can access the freed memory region, potentially corrupting kernel memory. Such memory corruption can lead to kernel data structure manipulation, privilege escalation, or arbitrary code execution.

All Linux kernel releases that did not incorporate the commit that introduced the retry‑safety knob (commit 4796694). The fix replaces the previous retry logic with an allocation‑before‑attachment pattern, ensuring the buffer object is not freed until cleanup. Linux kernels in all distributions should be checked for the presence of this commit to determine whether they remain vulnerable.

The vulnerability is a classic use‑after‑free (CWE‑416) that can be exploited from privileged contexts or via malicious drivers. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog, but the lack of on‑disk evidence of exploitation does not eliminate the high risk associated with kernel memory corruption. Attackers would need to engage the DRM subsystem, perhaps through a high‑privilege application or by loading a malicious kernel module that abuses the XE DMA API. Given the absence of a published exploit, the likelihood of current exploitation is uncertain, but the potential impact warrants urgent patching.