CVE-2025-71274

MEDIUM

rpmsg: core: fix race in driver_override_show() and use core helper

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: rpmsg: core: fix race in driver_override_show() and use core helper The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code.

Scores

CVSS v3 4.7
EPSS 0.0009
EPSS Percentile 0.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-362
Status published
Products (26)
linux/Kernel 4.18.0 - 5.10.252linux
linux/Kernel 5.11.0 - 5.15.202linux
linux/Kernel 5.16.0 - 6.1.165linux
linux/Kernel 6.13.0 - 6.18.16linux
linux/Kernel 6.19.0 - 6.19.6linux
linux/Kernel 6.2.0 - 6.6.128linux
linux/Kernel 6.7.0 - 6.12.75linux
Linux/Linux < 4.18
Linux/Linux 39e47767ec9b22f844c2a07c9d329256960d4021 - 2e4a70f3c30910427e5ea848b799066d67b963d5
Linux/Linux 39e47767ec9b22f844c2a07c9d329256960d4021 - 392c6b68334aa0e0ae9aba95c0a366bcb0d92f5d
... and 16 more
Published May 06, 2026
Tracked Since May 06, 2026