Impact
The vulnerability is a use‑after‑free within the Linux taprio network scheduler. When the scheduler switches from an administrative to an operational schedule, it frees the old schedule while still holding a pointer to its entry. Subsequent writes to the freed memory corrupt kernel data structures, which is a classic CWE‑825 weakness that can compromise the kernel’s integrity and availability.
Affected Systems
All Linux kernels that include the taprio scheduling class without the patch are vulnerable. This includes every distribution kernel that has not yet incorporated the commit sequence referenced in the advisory; any system that uses taprio remains at risk until it is updated.
Risk and Exploitability
The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% signals a low likelihood of exploitation. The attack vector is inferred to require the ability to configure taprio schedules, either locally or remotely if that capability is exposed. The flaw is not listed in CISA KEV, and no public exploits have been reported, but the memory corruption could still be leveraged for privilege escalation or denial of service.
OpenCVE Enrichment
Debian DLA