Impact
The driver incorrectly assigns the result of krealloc to the original pointer without checking if the call returned NULL, destroying the reference to the previously allocated memory and leaking that memory block. This is an Incorrect Check of Return Value (CWE‑253) vulnerability that, if repeatedly exploited, can exhaust system memory andservice. The vulnerability is limited to availability, as memory exhaustion can cause denial‑of‑service.
Affected Systems
The flaw exists in the Linux kernel’s DRM driver for the VC4 GPU. Any Linux system running a kernel version that includes the legacy drm/vc4 driver without the patch is affected. The patch is referenced by commit identifiers; versions are not enumerated.
Risk and Exploitability
No CVSS score is provided, but the EPSS score indicates a probability of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Inferred attack vector would be local kernel exploitation, as an attacker must trigger the faulty krealloc path within the DRM driver, which does not provide arbitrary code execution. The risk is primarily denial‑of‑service via memory exhaustion can interact with the driver.
OpenCVE Enrichment
Debian DLA