Impact
The Linux kernel includes a hisilicon/sec2 crypto driver that incorrectly frees a request memory block (req) while the packet transmission routine is still using it during heavy load. This results in a use‑after‑free condition, which can corrupt kernel memory and cause crashes or service disruption. The flaw is described as CWE‑825 and does not inherently provide a direct pathway to remote code execution but can lead to denial of service or stability problems if triggered reliably.
Affected Systems
The vulnerability affects Linux kernel builds that include the hisilicon/sec2 crypto driver. No specific kernel version is listed; therefore, all kernel releases prior to the fix may be vulnerable until the patch is applied.
Risk and Exploitability
The CVSS score of 9.8 classifies the issue as critical, with an EPSS score of < 1 % indicating a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation campaigns. It is inferred that an attacker could exploit the issue by generating a high rate of traffic to the interface that uses the Hisilicon sec2 hardware, creating a race condition that frees the req memory before it is used. Such an attack would require the ability to flood the target interface, which could be achieved by an attacker on or near the network path.
OpenCVE Enrichment