CVE-2025-71274
rpmsg: core: fix race in driver_override_show() and use core helper
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: rpmsg: core: fix race in driver_override_show() and use core helper The driver_override_show function reads the driver_override string
without holding the device_lock. However, the store function modifies
and frees the string while holding the device_lock. This creates a race
condition where the string can be freed by the store function while
being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and
store functions. The new driver_override_store uses the standard
driver_set_override helper. Since the introduction of
driver_set_override, the comments in include/linux/rpmsg.h have stated
that this helper must be used to set or clear driver_override, but the
implementation was not updated until now. Because driver_set_override modifies and frees the string while holding
the device_lock, the new driver_override_show now correctly holds the
device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for
driver_override, removing the macro simplifies the code.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2026-03-17 CVE Reserved
- 2026-05-06 CVE Published
- 2026-05-12 CVE Updated
- 2026-05-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/39e47767ec9b22f844c2a07c9d329256960d4021 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 5.10.252 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.10.252" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 5.15.202 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.15.202" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 6.1.165 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.1.165" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 6.6.128 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.6.128" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 6.12.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.12.75" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 6.18.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.18.16" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 6.19.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.19.6" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 7.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 7.0" | en |
Affected
| ||||||