Impact
The idpf driver contains an error path in its auxiliary device handling that can cause a double free and a use‑after‑free when a device addition fails. The bug triggers the release callback before freeing the same object twice and then reads a pointer from the freed structure, corrupting kernel memory. This corruption can lead to a kernel panic or, in the worst case, arbitrary code execution with kernel privileges. It is inferred that an attacker who can force the error path may exploit the memory corruption to obtain elevated privileges.
Affected Systems
All installations of the Linux kernel that include the idpf driver and have not incorporated the patch introduced by commit 65637c3a1811 are affected. Because the affected code is part of the kernel’s mainline tree, any kernel build prior to that commit remains vulnerable. No explicit version range is provided, so the vulnerability applies to all kernels before the patch, regardless of series.
Risk and Exploitability
The CVSS score is 5.5, the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. The flaw manifests only during a failure in the auxiliary device creation path, which typically requires privileged context or control over devices that use the idpf driver. It is inferred that a local attacker with the ability to influence device addition could trigger the vulnerable path and potentially exploit the resulting memory corruption.
OpenCVE Enrichment