Skip to main content

Linux Kernel CVE-2025-71274

| EUVD-2025-209674 MEDIUM
Race Condition (CWE-362)
2026-05-06 Linux GHSA-qgf6-m828-gpv5
Information Disclosure Linux Race Condition Red Hat Suse
4.7
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 00:00 vuln.today
CVSS changed
May 12, 2026 - 21:37 NVD
4.7 (MEDIUM)
Patch available
May 06, 2026 - 13:02 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 4.7

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

rpmsg: core: fix race in driver_override_show() and use core helper

The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free.

To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now.

Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race.

Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code.

AnalysisAI

Use-after-free vulnerability in the Linux kernel rpmsg subsystem allows local attackers with low privileges to cause denial of service by exploiting a race condition between driver_override_show() and driver_override_store() functions. The show function reads the driver_override string without holding the device_lock while the store function modifies and frees it under lock, creating a window for memory corruption. The vulnerability requires local access and non-default timing conditions (AC:H), limiting real-world exploitation probability to 0.02% per EPSS scoring.

Technical ContextAI

The vulnerability exists in the Linux kernel's rpmsg (remote processor messaging) core subsystem, specifically in the driver_override attribute implementation. The rpmsg_string_attr macro previously exposed driver_override through generic show/store handlers that lacked proper synchronization. The show function reads the driver_override character pointer without acquiring the device_lock, while the store function (via driver_set_override helper) modifies and potentially frees this pointer while holding the lock. This synchronization gap violates the locking discipline required for safe concurrent access to shared kernel objects. CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) categorizes the root cause as a race condition requiring multiple execution threads to interleave in a specific manner.

RemediationAI

Vendor-released patches are available across all supported kernel stable branches. Apply the following minimum patched versions: Linux 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0 and later. Update via your distribution's kernel update mechanism or direct kernel.org stable branch checkout. The upstream fix replaces the vulnerable rpmsg_string_attr macro with explicit show and store functions that properly use the driver_set_override() helper, which correctly acquires device_lock before modifying and freeing the driver_override pointer. No workarounds are available for unpatched systems; patching is the only mitigation. Systems not using rpmsg subsystem are unaffected. References: https://git.kernel.org/stable/c/2e4a70f3c30910427e5ea848b799066d67b963d5

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
CVE-2026-47337 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local
CVE-2026-45844
May 27

In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload par
CVE-2026-45837
May 27

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arena_vm_close on fork

Vendor StatusVendor

Share

CVE-2025-71274 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy