Impact
A flaw in the Linux kernel’s rtmutex subsystem causes the remove_waiter() routine to be called without first confirming that a waiter is enqueued. The omission leads to a null‑pointer dereference and a kernel panic. The issue is triggered when a futex operation using FUTEX_CMP_REQUEUE_PI attempts to requeue a futex in the presence of an early deadlock return, a code path that was incorrectly handled after recent refactoring of rt_mutex_start_proxy_lock(). The resulting crash disrupts system availability, allowing a privileged or malicious user to force a reboot or render the host unusable.
Affected Systems
All Linux kernel builds that include the rtmutex implementation before the fix are affected. The CNA lists the product simply as Linux:Linux, and no specific version ranges are provided, indicating that the vulnerability existed across multiple releases until the referenced commits corrected the logic. Administrators should verify whether their running kernel contains the patches referenced by the commit IDs 40a25d59e85b3c8709ac2424d44f65610467871e and 1a1fb985f2e2.
Risk and Exploitability
This is a medium‑severity local denial‑of‑service vulnerability with a CVSS score of 5.5. A kernel crash can be triggered by a null‑pointer dereference in the rtmutex subsystem. Exploitation requires local kernel access through a futex operation such as FUTEX_CMP_REQUEUE_PI; an attacker must be able to influence or control futex usage from a user or privileged process. The EPSS score is < 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not yet been observed. Nonetheless, the severity and potential availability impact warrant prompt mitigation.
OpenCVE Enrichment
Debian DSA