Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local vector and low privileges match the config/probe path, but triggering a probe-time UAF and winning the slab race raises complexity to AC:H; kernel-memory impact keeps C/I/A high.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
In scpsys_get_bus_protection_legacy(), of_find_node_with_property() returns a device node with its reference count incremented. The function then calls of_node_put(node) before checking whether syscon_regmap_lookup_by_phandle() returns an error. If an error occurs, dev_err_probe() dereferences the node pointer to print diagnostic information, but the node memory may have already been freed due to the earlier of_node_put(), leading to a use-after-free vulnerability.
Fix this by moving the of_node_put() call after the error check, ensuring the node is still valid when accessed in the error path.
AnalysisAI
Local privilege escalation and memory corruption in the Linux kernel's MediaTek power-domain (pmdomain) driver stems from a use-after-free in scpsys_get_bus_protection_legacy(), where a device node is released via of_node_put() before the error path dereferences it in dev_err_probe(). Affecting kernels using the MediaTek SCPSYS legacy bus-protection code path (typically ARM/ARM64 MediaTek SoC platforms), a local low-privileged attacker able to influence the probe error path could corrupt freed kernel memory, with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).
Technical ContextAI
The flaw lives in the MediaTek System Control Processor System (SCPSYS) power-domain driver within the kernel's pmdomain subsystem. During probe, scpsys_get_bus_protection_legacy() calls of_find_node_with_property(), which returns a device-tree node with an incremented reference count. The code prematurely calls of_node_put(node), dropping that reference, and only afterward checks whether syscon_regmap_lookup_by_phandle() failed. In the failure branch, dev_err_probe() dereferences the already-released node to print diagnostics. This is a classic CWE-416 Use-After-Free: the object's lifetime (reference count) is ended before the last legitimate access, so the pointer may reference freed slab memory. Per the CPE data the affected product is the Linux kernel (cpe:2.3:a:linux:linux), and exposure is limited to configurations that compile and exercise this MediaTek legacy code path.
RemediationAI
Apply the vendor-released kernel patch by upgrading to a fixed stable release: Linux 6.18.30 or later for the 6.18 series, 7.0.7 or later for the 7.0 series, or 7.1-rc3/7.1 for the development branch. Distribution users should install the corresponding vendor kernel update as soon as it ships. If immediate patching is not possible, the exposure is inherently limited to systems that build and load the MediaTek SCPSYS legacy driver, so a compensating control is to run kernels/configurations that do not enable the affected MediaTek power-domain code path on non-MediaTek hardware (trade-off: none for non-MediaTek platforms; not applicable where the driver is required). The upstream fix simply moves the of_node_put() call after the error check so the node remains valid when dev_err_probe() dereferences it; the exact fix commits are cb27e43c0511e9e1ca8818d231656070b11c18cf, 38d8410021b55d226847b2ac8d189d89fe5a8866, and ec1fcddb3117d9452210e838fd37389ee61e10e8 at git.kernel.org/stable.
WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypa
The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows atta
The MT6573FDVT_SetRegHW function in camera_fdvt.c in the MediaTek driver for Linux allows local users to gain privileges
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected
MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35173
GHSA-rpc3-vj77-cxwg