Impact
In the Linux kernel, the pci-ep-msi path was vulnerable when an MSI allocation failed. The code freed the doorbell message array but left the endpoint structure pointing to the freed memory. Subsequent cleanup could attempt to free the already‑freed array, leading to a double‑free or use‑after‑free scenario that can corrupt kernel memory. The patch eliminates the leak and prevents overwriting existing allocations by returning -EBUSY when doorbells are already allocated.
Affected Systems
All Linux kernel versions that contain the pci-ep-msi endpoint driver before the commit that introduces this fix are affected. This includes any distribution release whose kernel contains the original pci_epf_alloc_doorbell implementation. The vendor is Linux; the product is the Linux kernel.
Risk and Exploitability
This vulnerability can potentially allow an attacker with the ability to trigger MSI allocation failures on a PCI endpoint to corrupt kernel memory, potentially leading to privilege escalation or denial of service. The CVSS score of 5.5 indicates moderate severity, while the EPSS score of <1% shows a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, implying no publicly known exploits. An attacker would need local control of the host that owns the device, or the ability to influence MSI allocation, to exploit this flaw.
OpenCVE Enrichment