Impact
The airoha driver in the Linux kernel frees metadata_dst objects prematurely, bypassing the RCU grace period. When a socket buffer holds a non‑refcounted pointer to such an object and the driver tears the dst down, a use‑after‑free can occur. This kernel‑level memory corruption may allow an attacker who can trigger the RX path to crash the system or execute arbitrary code in kernel context, resulting in privilege escalation or denial of service.
Affected Systems
The vulnerability affects the airoha network driver that ships with the Linux kernel. All distributions that include a kernel containing the airoha module before the patch referenced in the provided changes are impacted. The driver is present in kernel versions that still use the original unpatched code.
Risk and Exploitability
The CVSS score of 8.8 indicates high severity. The EPSS score of <1% reflects a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must send specially crafted packets to the airoha device to trigger the fault; successful exploitation requires the driver to tear down the dst while RCU readers are still active. If achieved, an attacker could elevate privileges or crash the system.
OpenCVE Enrichment