Impact
The Linux kernel greybus raw driver contains a use‑after‑free bug (CWE‑825). When a raw bundle is disconnected, the associated character device (cdev) remains open. Closing the cdev after the bundle has been freed triggers a reference‑count underflow, causing a kernel panic. This results in a denial of service that can bring the entire system offline. The weakness arises from improper management of the lifecycle of the cdev and its enclosing device structure.
Affected Systems
Affected systems are Linux kernel builds that include the greybus raw driver and lack the patch commit that replaced the device pointer with an embedded struct. The vulnerability exists in any kernel version that has not incorporated the fix from commit 983cc2c7efb. The issue may affect a wide range of Linux‑based servers, desktops, and embedded devices that rely on greybus for USB‑device interactions.
Risk and Exploitability
The CVSS score of 7.8 indicates a high severity, and the EPSS score (< 1%) suggests a low likelihood of exploitation at the moment. The vulnerability is listed as not in the CISA KEV catalog. Based on the description, the likely attack vector is local; an attacker who can open the raw bundle device and trigger a disconnect can cause a kernel panic. No remote code execution or privilege escalation is achieved; the damage is limited to a service disruption of the host. The condition requires the device to have been disconnected while still held open, so the exploit is dependent on specific timing and local access.
OpenCVE Enrichment