Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Triggering needs privileged debugfs access (PR:H) and a specific RX-aliases-TX configuration (AC:H); impact is kernel memory corruption enabling code execution and DoS, with no direct confidentiality disclosure (C:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
mailbox: mailbox-test: don't free the reused channel
The RX channel can be aliased to the TX channel if it has a different MMIO. This special case needs to be handled when freeing the channels otherwise a double-free occurs.
AnalysisAI
Local privilege escalation potential in the Linux kernel's mailbox-test driver arises from a double-free when the RX channel is aliased to the TX channel (a valid configuration when they use different MMIO regions); the cleanup path frees the reused channel twice. Affecting the mailbox subsystem's test/debug driver across a wide range of stable branches (5.10 through 7.x), the flaw carries a 7.8 CVSS with an AV:L/PR:L vector and has an upstream fix, but EPSS is only 0.18% and there is no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the mailbox-test driver (CONFIG_MAILBOX_TEST) be built and loaded, that the underlying platform configuration cause the RX mailbox channel to be aliased to the TX channel (the special case where they share a channel but have different MMIO), and local privileged access to drive the driver's debugfs interface that invokes the channel-free path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward lower real-world urgency than the 7.8 base score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a system where the mailbox-test module is loaded and the platform aliases the RX channel to the TX channel, a local attacker with sufficient privilege to interact with the driver's debugfs interface triggers the channel-release path, causing the same mailbox channel to be freed twice and corrupting kernel slab metadata. With careful heap grooming this double-free can be developed into a use-after-free for privilege escalation or used to crash the kernel (DoS). … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (whichever matches your series), or apply your distribution's backport of the upstream fix once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory systems running Linux kernels 5.10-7.x (particularly development/test infrastructure); confirm whether mailbox-test driver is loaded. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39899
GHSA-grhq-rqc2-rhjr