Impact
An ordering flaw in the Linux kernel's module initialization sequence causes a NULL pointer dereference when a CXL device is removed. The bug originates because the fwctl driver’s class registration has not yet taken place when device_add() is called, causing the kernel to attempt to free an uninitialized knode structure. The immediate consequence is a kernel crash, resulting in a denial of service. This vulnerability is local and affects systems that use the legacy CXL driver and allow dynamic device removal. It is categorized as CWE‑824 (Race condition).
Affected Systems
All Linux kernel distributions that include the legacy CXL driver before the patch that reordered the class initialization are affected. The bug exists in any kernel build that lacks the commit that ensures fwctl_class is registered before device_add is invoked, typically versions preceding the kernel commit identified in the advisory references. All machines that use CXL hardware and allow dynamic device removal are within scope.
Risk and Exploitability
An EPSS score of <1% indicates a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, so the risk remains low in terms of publicly known exploits. The CVSS score is 5.5, indicating a moderate severity. However, the nature of the flaw dereference in a kernel driver places it at high impact if the flaw is triggered. An attacker who, even locally, could force a kernel crash. The lack of exploitation metrics suggests that the vulnerability is likely not widely announced yet, but the risk to any production environment that uses CXL devices remains significant.
OpenCVE Enrichment