Impact
The vulnerability exists in the Linux kernel’s CPU hotplug code. During a CPU offline operation a callback that is only allowed to fail in the ONLINE phase was mistakenly registered in the OFFLINE teardown. When a CPU is taken offline, this callback may return an error, causing the kernel to emit a DEAD callback warning and potentially stall the hotplug sequence. This failure does not grant code execution or data access but can force a system reboot or service interruption, resulting in a denial of service.
Affected Systems
Linux kernels that include the affected code path before commit 4ae12d8bd9a8 are vulnerable. The patch that moves the offending callback to the ONLINE section was introduced in that commit and is preserved in subsequent updates. Kernels compiled or distributed prior to that commit remain at risk.
Risk and Exploitability
The CVSS score of 5.5 indicates medium severity, and the EPSS score of less than 1 % shows a very low likelihood of exploitation in the wild. The flaw is only exploitable when an attacker can perform privileged CPU hotplug operations, which requires local kernel access. A local attacker could trigger the callback to provoke a DEAD warning, potentially causing a kernel failure that requires a reboot, but cannot gain arbitrary code execution or access privileged data.
OpenCVE Enrichment
Debian DLA