Impact
A race condition in the Linux s390 AP bus allows an attacker to trigger a use‑after‑free of the driver_override string. When the AP mask is updated the apmask_store routine releases its mutex and then calls __ap_revise_reserved(), which reads driver_override without any protection. A concurrent driver_override_store can free the old string at the same time, causing the kernel to later access freed memory, corrupting state and potentially allowing arbitrary code execution. The weakness is a classic memory corruption flaw caused by inadequate synchronization during critical section updates.
Affected Systems
All Linux kernel installations running on IBM System z (s390) that use the AP bus and have not incorporated the driver_override fix. The original advisory does not enumerate specific kernel releases, but the fix is present in the commits referenced, indicating that any kernel version before these changes is presumed vulnerable. This includes older 5.x, 6.x and newer mainline kernels if the patch has not been applied.
Risk and Exploitability
The vulnerability is a medium‑severity use‑after‑free with a CVSS score of 5.5, EPSS score <1%, and is not listed in the CISA KEV catalog. The lack of spinlock protection allows a race that can lead to arbitrary code execution if an attacker can influence AP mask updates. Exploitation would still require local or privileged access that can invoke apmask_store or aqmask_store, potentially via exposed sysfs interfaces on the AP bus.
OpenCVE Enrichment