Impact
The vulnerability is a slab-use-after-free in the IPv6 anycast address handling path. A race between inserting an address configuration object into the global hash and tearing down the device can cause the object to be freed while still linked from the hash, allowing a reader to dereference freed memory. This results in memory corruption, application crashes, or denial of service.
Affected Systems
All Linux kernel versions that include the unpatched ipv6 anycast code path—specifically those prior to the commits that move the hash insertion into the idev->lock section and replace acaddr_hash_lock with spin_lock_bh—are affected. The patch has been incorporated into mainline and stable kernels following those referenced commits.
Risk and Exploitability
The CVSS score of 7.8 classifies this as high severity, yet the EPSS score of <1% indicates a low likelihood of exploitation. The vulnerability requires a race between ipv6_dev_ac_inc and ipv6_ac_destroy_dev, which could result in memory corruption or denial of service if the dangling pointer is dereferenced. The vulnerability is not listed in the CISA KEV catalog.
OpenCVE Enrichment