Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only bug needing net-admin device teardown (PR:H) and a won RCU race window (AC:H); slab UAF can yield full C/I/A kernel impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
net: phonet: free phonet_device after RCU grace period
phonet_device_destroy() removes a phonet_device from the per-net device list with list_del_rcu(), but frees it immediately. RCU readers walking the same list can still hold a pointer to the object after it has been removed, leading to a slab-use-after-free.
Use kfree_rcu(), matching the lifetime rule already used by phonet_address_del() for the same object type.
AnalysisAI
Slab use-after-free in the Linux kernel's Phonet subsystem (net/phonet) allows a local privileged actor to trigger memory corruption when a phonet_device is torn down. phonet_device_destroy() unlinks the object from the per-net device list with list_del_rcu() but frees it immediately, so concurrent RCU readers can still dereference the freed object; the fix converts the free to kfree_rcu(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access to a Linux system where the Phonet subsystem is compiled and loaded (CONFIG_PHONET enabled, phonet module present), plus the privilege to trigger phonet_device_destroy() - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a genuine-but-not-urgent memory-safety bug rather than a mass-exploitation threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with the ability to create and destroy Phonet devices repeatedly races device teardown (phonet_device_destroy) against another thread walking the per-net phonet device list under RCU, causing a reader to dereference a phonet_device that was freed before the grace period elapsed. By grooming the kernel slab to reallocate the freed object with attacker-controlled data, this use-after-free can be steered toward information disclosure, denial of service (kernel panic), or potentially privilege escalation. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 6.18.36, 7.0.13, or 7.1 (or later) - which replaces the immediate free in phonet_device_destroy() with kfree_rcu() so the phonet_device is released only after an RCU grace period; the fix commits are 71de0177b28da751f407581a4515cf4d762f6296, 52b8f5ef82c886f7cd24617915e4b1579ddfd001 and bff309ea51f1395c1ef8be8b75ce62d28a319113 at git.kernel.org. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running vulnerable Linux kernel versions via automated scanning tools or manual enumeration (uname -r). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39248
GHSA-w8w6-f4mm-hw75