Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Race condition requires winning a narrow kernel timing window, justifying AC:H over the vendor's AC:L; all other metrics align with the description.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
ipc/shm: serialize orphan cleanup with shm_nattch updates
shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that does not serialize all fields tested by shm_may_destroy(). In particular, shm_nattch is updated while holding shm_perm.lock, and attach paths can do that without holding the rwsem.
Do not decide that an orphaned segment is unused before taking the object lock. Move the shm_may_destroy() check under shm_perm.lock, matching the other destroy paths, and unlock the segment when it no longer qualifies for removal.
AnalysisAI
Race condition in the Linux kernel's System V IPC shared memory subsystem allows a local low-privileged attacker to crash the kernel. The shm_destroy_orphaned() cleanup path evaluates whether an orphaned segment is safe to destroy by checking shm_nattch without holding shm_perm.lock, while the attach/detach paths update that counter independently of shm_ids(ns).rwsem, creating a window where a still-attached segment is erroneously destroyed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local system access with at minimum standard unprivileged user credentials (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.5 (Medium) accurately captures the local-only, availability-only impact with low-privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with standard unprivileged credentials creates a System V shared memory segment and causes its owning process to exit, making the segment orphaned. The attacker then spawns concurrent threads that rapidly call shmat and shmdt on the orphaned segment, while the kernel's periodic orphan cleanup path (`shm_destroy_orphaned`) is simultaneously running. … |
| Remediation | The primary fix is upgrading to a patched Linux kernel stable release: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1, depending on the branch in use. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38700
GHSA-5g46-hmw3-w78x