Impact
A use‑after‑free flaw in the Linux kernel’s rtl8150 USB Ethernet driver causes the driver to read a socket buffer length after the buffer has already been freed by the USB completion callback. This kernel memory read can trigger a kernel panic and crash the system. The fault is rooted in the driver’s transmit routine and is addressed by caching the skb length before submitting the URB.
Affected Systems
Linux kernels that include the rtl8150 driver prior to the merge of the fix commits (e.g., any upstream or distribution kernel that has not incorporated the authors’ changes). All such kernels are vulnerable regardless of version series because the driver code itself is present.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical severity, and an EPSS score of <1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need local physical or logical control of the USB Ethernet adapter to send traffic that exercises the bug; no publicly available exploit code is documented. Successful exploitation results in a system crash that requires a reboot, so the risk remains high in environments where the device is in use.
OpenCVE Enrichment
Debian DLA