Impact
This vulnerability is a race condition in the Linux kernel’s iomap subsystem that can cause a null pointer dereference during error reporting when a buffered read fails. It occurs because the error is reported after the read‑bytes counter is decremented, allowing a concurrent truncate operation to clear the folio’s mapping while the error reporting is still pending. If the mapping is cleared, the error‑reporting function dereferences a NULL pointer, which is a classic pointer dereference flaw (CWE-476). The dereference may trigger a kernel panic, resulting in loss of system availability.
Affected Systems
The flaw affects all installations of the Linux kernel that have not incorporated the commit that reports the error before decrementing the read_bytes_pending counter. This includes unpatched kernels shipped by major Linux distributions and older kernel versions that may still be in use.
Risk and Exploitability
The EPSS score is < 1% and the vulnerability is not listed in CISA's KEV catalog. The CVSS score of 7.5 indicates high severity, meaning the risk is moderate to high because a successful exploitation would cause a kernel crash and denial of service. The most probable attack vector is a race condition that requires concurrent read and truncate operations on the same storage device. The description indicates that this race can be possible, so the ability to trigger it from userspace is inferred; it likely requires elevated privileges or privileged access to the relevant storage subsystem.
OpenCVE Enrichment