Impact
The kernel firmware for SFP devices omits a cleanup step when a PHY probe fails, leaving the SFP bus object with a dangling upstream reference. When the device later processes an SFP event that reads this stale pointer, undefined kernel behavior can occur, potentially causing a crash and a denial of service. This is a classic use‑after‑free vulnerability (CWE‑459).
Affected Systems
All Linux kernel builds that enable the generic PhyLib SFP support and have not yet incorporated the commit that adds sfp_bus_del_upstream() in the probe failure path are affected. Legacy drivers that performed direct calls to phy_sfp_probe before the generic support are also vulnerable unless the kernel has been updated past commit 48774e87bbaa0056819d4b52301e4692e50e3252.
Risk and Exploitability
The CVSS score of 8.8 underscores a high severity level, yet the EPSS of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not yet listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation would require an attacker to induce a PHY probe failure—likely by controlling a device that performs probing—and then trigger an SFP event that reads the dangling upstream pointer. While no public exploits exist, this scenario is achievable on systems where the attacker has sufficient local privilege to influence PHY probing, making the risk moderate and primarily a denial‑of‑service threat.
OpenCVE Enrichment