Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local chardev access (AV:L, PR:L); exploitation requires winning a write/disconnect race (AC:H); demonstrated impact is a kernel panic/DoS only (A:H, C:N/I:N).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
greybus: raw: fix use-after-free if write is called after disconnect
If a user writes to the chardev after disconnect has been called, the kernel panics with the following trace (with CONFIG_INIT_ON_FREE_DEFAULT_ON=y):
BUG: kernel NULL pointer dereference, address: 0000000000000218 ... Call Trace: <TASK> gb_operation_create_common+0x61/0x180 gb_operation_create_flags+0x28/0xa0 gb_operation_sync_timeout+0x6f/0x100 raw_write+0x7b/0xc7 [gb_raw] vfs_write+0xcf/0x420 ? task_mm_cid_work+0x136/0x220 ksys_write+0x63/0xe0 do_syscall_64+0xa4/0x290 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Disconnect calls gb_connection_destroy, which ends up freeing the connection object. When gb_operation_sync is called in the write file operations, its gets a freed connection as parameter and the kernel panics.
The gb_connection_destroy cannot be moved out of the disconnect function, as the Greybus subsystem expect all connections belonging to a bundle to be destroyed when disconnect returns.
To prevent this bug, use a rw lock to synchronize access between write and disconnect. This guarantees that the write function doesn't try to use a disconnected connection.
AnalysisAI
Local privilege-level denial of service in the Linux kernel's Greybus 'raw' character device driver (gb_raw) allows a user with access to the chardev to trigger a use-after-free by writing to the device after a disconnect has freed the underlying gb_connection object, causing a kernel NULL pointer dereference and panic (observed reliably with CONFIG_INIT_ON_FREE_DEFAULT_ON=y). The flaw is a race between the raw_write() path calling gb_operation_sync_timeout() and gb_connection_destroy() running during disconnect. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the Greybus 'raw' driver (gb_raw) to be loaded and its character device present and accessible, plus a local account with permission to write() to that chardev (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) rates this High, but the supporting signals point to a more contained denial-of-service issue than the full C:H/I:H/A:H triad implies: the reproduction is a kernel NULL pointer dereference panic, and the intelligence tags explicitly label it 'Denial Of Service'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with read/write access to the Greybus raw character device opens it and, during or immediately after the corresponding Greybus device/bundle is removed (disconnect), issues a write() so that raw_write() calls into gb_operation_sync_timeout() with a connection object that gb_connection_destroy() has just freed. The freed-then-reused (zeroed under CONFIG_INIT_ON_FREE_DEFAULT_ON) connection triggers a NULL pointer dereference and kernel panic, taking the system down. … |
| Remediation | Patch available per vendor advisory: apply the upstream stable fixes at commits https://git.kernel.org/stable/c/84265cbd96b97058ef67e3f8be3933667a000835 and https://git.kernel.org/stable/c/48d6c32bc049abd114e8f0836c0e7d7cbfba7827, which add a reader-writer lock to serialize raw_write() against disconnect; consume them via your distribution's patched kernel package rather than hand-applying where possible (a released, tagged kernel version is not independently confirmed from the input data). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory systems running Linux kernels with Greybus module enabled and CONFIG_INIT_ON_FREE_DEFAULT_ON=y enabled; review access controls to /dev/gb_raw* character devices. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38892
GHSA-xg88-j2c7-g852