Impact
In the Linux kernel a race condition in the xfrm policy lookup path can cause a use‑after‑free of an inexact bin. The bug is triggered when one thread deletes a policy while another thread is in the process the bin is freed while still referenced, an attacker could coerce a kernel crash or potentially corrupt kernel memory, leading to loss of integrity or, on some architectures, privilege escalation. This flaw corresponds to CWE‑364, a use‑after‑free weakness.
Affected Systems
The vulnerability affects the Linux kernel whenever the xfrm framework is enabled. No specific vendor version is listed, so all kernel releases prior to the commit that removed the race path are considered later kernel versions referenced by the.
Risk and Exploitability
The CVSS score is 7.8; however, the nature of the flaw—a use‑after‑free—suggests a high impact. The EPSS score is <1%, and the CISA KEV, indicating that no mass exploitation has been reported. The likely attack vector is local or privileged; an attacker would need FRM policy modification messages (such as XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO) to the kernel and coordinate timing with another thread. Because the race occurs during policy lookup, the opportunity window is narrow, but a skilled attacker could design sequences that trigger the crash or exploit memory corruption.
OpenCVE Enrichment
Debian DLA