Impact
An enetc network driver in the Linux kernel contains a DMA use‑after‑free flaw that can corrupt kernel memory. If netc_xmit_ntmp_cmd() times out, the driver frees the DMA buffer used by the pending command while the hardware still expects to write to that address, leading to silent memory corruption. This issue maps to CWE‑825: Improper Deallocation of Memory. The likely attack vector involves an entity that can generate NTMP commands to the affected interface; such an action would exercise the use‑after‑free condition and overwrite memory. Access to NTMP traffic is typically confined to system components, but any local or potential remote source of these commands could exploit the flaw.
Affected Systems
All Linux kernel builds that include the enetc driver are potentially affected. The advisory does not list specific kernel versions, but any kernel containing the legacy NTMP implementation before this patch is vulnerable. Users should verify their kernel by inspecting the enetc driver source for the commit identifiers referenced in the patch set.
Risk and Exploitability
The CVSS score of 7.8 indicates a high severity vulnerability, while the EPSS score of < 1% shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The patch requires moving from a spinlock to a mutex and introducing software command BDs to prevent premature DMA buffer release. Based on the description, a local attacker with the ability to send NTMP commands to the affected network interface could trigger the flaw and cause kernel memory corruption, which could lead to a system crash or, in the worst case, privilege escalation if the corrupted memory includes control structures. However, the actual exploitation requires specific conditions and is therefore not considered highly likely at present.
OpenCVE Enrichment