Impact
A race exists between the release of an fastrpc device file and the workqueue that handles DSP responses. When the file descriptor is closed, the fastrpc_user structure is freed, but a still‑running DSP invocation can finish and schedule cleanup work that dereferences the freed structure. This use‑after‑free can trigger kernel memory corruption, potentially allowing an attacker to corrupt kernel data and gain elevated privileges or crash the system.
Affected Systems
All Linux kernel builds that contain the fastrpc subsystem are impacted; specific kernel releases prior to the patch commit are affected. No explicit version list was provided, so assume that any kernel lacking the fix is vulnerable.
Risk and Exploitability
The EPSS score is <1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 7.8 indicates high severity. Based on the description, it is inferred that exploitation would require local access to the fastrpc device and the ability to induce the race by closing the file descriptor while a DSP invocation is pending. Once the race condition is triggered, the kernel will dereference freed memory, which can lead to a crash or, at a minimum, kernel corruption. The patch introduces kref-based reference counting to ensure the fastrpc_user structure is only freed after all active contexts are released, eliminating the race.
OpenCVE Enrichment
Debian DLA