Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local low-priv access to the zram device (AV:L/PR:L); AC:H because it requires the non-default admin-configured writeback backing device; kernel UAF yields full C/I/A impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
zram: fix use-after-free in zram_bvec_write_partial()
zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page.
zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.
AnalysisAI
Use-after-free in the Linux kernel zram block-device driver allows local attackers to corrupt freed kernel page memory when a zram device is configured with a writeback (ZRAM_WB) backing device. The flaw is in zram_bvec_write_partial(), which passes its parent bio into zram_read_page(), causing the backing-device read to be dispatched asynchronously and return before completion; the buffer is then copied, rewritten, and freed while the in-flight read still writes into it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the zram device to be configured with a writeback backing device (ZRAM_WB) - set via /sys/block/zramX/backing_dev - which is not the default zram configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 7.8) describes a local, low-privilege flaw with full CIA impact consistent with a kernel UAF that can lead to memory disclosure or privilege escalation (the source tag 'Information Disclosure' aligns with leaking freed-page contents). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a system where an administrator has configured zram with a writeback backing device, a local user with write access to the zram-backed block device or filesystem issues sub-page (partial) writes that target slots already evicted to the backing device. The kernel dispatches the backing read asynchronously and frees the page buffer before the read completes, so the in-flight read writes into freed memory, giving the attacker a use-after-free primitive usable for information disclosure or privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed Linux stable release - 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1, whichever matches your branch (commits at https://git.kernel.org/stable/c/0c2821665ff71be3f4b07ecece384669f2877f6a and the related stable hashes). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify Linux systems with zram writeback enabled by checking for ZRAM_WB configuration in running kernels and filesystem mounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-364 – Signal Handler Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39276
GHSA-4pqw-3h25-qrq3