Impact
The vulnerability resides in the arm_mpam subsystem of the Linux kernel, where __destroy_component_cfg frees a configuration array without first verifying that it was allocated. If this function is called before allocation, a NULL pointer dereference triggers a kernel crash, effectively taking the host offline. This is a classic null‑pointer dereference flaw.
Affected Systems
All Linux kernel builds that include the arm_mpam driver are potentially impacted, such as arm64 and other ARM architectures that ship with unpatched kernels. This vulnerability affects a wide range of Linux distributions that have not applied the latest kernel update.
Risk and Exploitability
The bug could be triggered if an attacker with local or root privileges activates mpam_disable to force the crash. The CVSS score of 5.5 indicates moderate severity, while the EPSS score is <1%, indicating a low likelihood of exploitation. No public exploits are catalogued, and the CVE is not listed in the CISA KEV catalog, suggesting no current known active exploitation.
OpenCVE Enrichment