Impact
In the Linux kernel’s optee driver, the supplicant thread processes requests on behalf of client tasks. If a client process exits before the supplicant finishes, it removes its request from the queue and frees the associated memory. Because the request identifier remains in the supplicant’s ID management structure, a later lookup in the supplicant path dereferences the freed memory, resulting in a use‑after‑free. This leads to kernel memory corruption and can cause a system crash. The flaw is the classic improper memory deallocation indicated by CWE‑825.
Affected Systems
All Linux kernel builds that include the optee driver and have not yet integrated commit 70b0d6b0a199 are affected. The CNA data lists only the Linux product line; no specific kernel versions are provided, so the affected scope is inferred to be every kernel that contains the unpatched optee implementation.
Risk and Exploitability
Based on the description, the likely attack vector involves an attacker causing a client process to terminate while the supplicant remains active. The CVSS score of 7.8 denotes high severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the attacker to force a client process to terminate while the supplicant remains active—a non‑trivial condition that limits the attack surface. Successful exploitation is expected to result in a denial‑of‑service via a kernel panic rather than arbitrary code execution.
OpenCVE Enrichment
Debian DLA