Impact
An open-coded task_vma iterator in the Linux kernel reads the task structure’s mm field locklessly, relying on mmap_read_trylock() but omitting an mmget() call. If the target process terminates concurrently, its mm_struct can be freed while the iterator still holds a stale pointer, creating a use-after-free that corrupts kernel memory. The fix introduces mm reference counting, a trylock on alloc_lock, and additional context checks to prevent concurrent access to a deallocated mm_struct. This flaw is a classic use‑after‑free that can lead to kernel code execution or a crash.
Affected Systems
All Linux kernel releases that lack the commit 239cec25a22662dbd80f57d94b38178c8be95269 or subsequent backports are affected. The issue resides in the BPF subsystem and therefore applies to all kernel configurations that enable eBPF program loading.
Risk and Exploitability
The CVSS score of 7.8 indicates high severity, and the EPSS score of < 1% shows that the probability of exploitation is currently low. The vulnerability is not included in CISA’s KEV catalog. Based on the description, it is inferred that exploitation requires the attacker to load or execute a BPF program that uses the task_vma iterator; therefore the likely attack vector is local and limited to privilege that can load BPF programs. If successful, an attacker could achieve arbitrary kernel memory overwrite, leading to privilege escalation or denial of service.
OpenCVE Enrichment