Impact
The vulnerability stems from a race condition between the gem_close and gem_change_handle ioctl calls in the Linux kernel’s DRM subsystem. An attacker can trigger the conflict by issuing the two calls concurrently, causing the kernel to misapply the idr_replace function and treat a virtual memory object that is still in use as freeable or to install an invalid reference. The result is resource mismanagement that can lead to kernel instability or a denial of service. The underlying weakness is a concurrency control failure classified as CWE‑367.
Affected Systems
All Linux kernel releases that have not incorporated the commits remedial to the change_handle race condition are affected. No specific version range is supplied, so any kernel lacking the disclosed patches is vulnerable.
Risk and Exploitability
The CVSS score of 7.8 indicates high severity, while the EPSS score of < 1 % suggests a low likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog and no public exploits are known. An attacker would need the ability to load a custom module or otherwise invoke privileged ioctl calls to trigger the race. Overall, the risk is moderate but timely remediation is recommended.
OpenCVE Enrichment