Impact
The fastrpc_map_lookup function returns a pointer after releasing a lock, and a concurrent MEM_UNMAP can free that map before fastrpc_map_create calls kref_get_unless_zero on the pointer. This results in a use‑after‑free that can crash the kernel. The flaw is a race condition (CWE‑366).
Affected Systems
Any Linux kernel build that has not incorporated the commit restoring the take_ref parameter in fastrpc_map_lookup is affected. The product is the Linux kernel; version information is not supplied, so all kernels prior to the patch are at risk.
Risk and Exploitability
The CVSS score is 7.8. The EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a race with a MEM_UNMAP operation and kernel‑level access, making the attack path non‑trivial. The likely attack vector is local kernel execution, but external exploitation is not explicitly documented. Given the moderate likelihood but high severity, overall risk is moderate.
OpenCVE Enrichment
Debian DLA