rpmsg: core: fix race in driver_override_show() and use core helper

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2025-71274
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-06 12:16:27 UTC
Updated2026-05-12 21:25:11 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: rpmsg: core: fix race in driver_override_show() and use core helper The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code.

Risk And Classification

Primary CVSS: v3.1 4.7 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-362

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 39e47767ec9b22f844c2a07c9d329256960d4021 392c6b68334aa0e0ae9aba95c0a366bcb0d92f5d git Not specified
CNA Linux Linux affected 39e47767ec9b22f844c2a07c9d329256960d4021 d66b8074c555e8abb0ae19eea1c9f3635498bdde git Not specified
CNA Linux Linux affected 39e47767ec9b22f844c2a07c9d329256960d4021 47615557447185917afa432b7958f87583c417cb git Not specified
CNA Linux Linux affected 39e47767ec9b22f844c2a07c9d329256960d4021 90c8353f471821d7ccd4fe573a2402e056192494 git Not specified
CNA Linux Linux affected 39e47767ec9b22f844c2a07c9d329256960d4021 7654e6e3cd6bdee9602f6063b3c670bd556d7e61 git Not specified
CNA Linux Linux affected 39e47767ec9b22f844c2a07c9d329256960d4021 2e4a70f3c30910427e5ea848b799066d67b963d5 git Not specified
CNA Linux Linux affected 39e47767ec9b22f844c2a07c9d329256960d4021 954557957177c3c13d7c655976665b1170da5e50 git Not specified
CNA Linux Linux affected 39e47767ec9b22f844c2a07c9d329256960d4021 42023d4b6d2661a40ee2dcf7e1a3528a35c638ca git Not specified
CNA Linux Linux affected 4.18 Not specified
CNA Linux Linux unaffected 4.18 semver Not specified
CNA Linux Linux unaffected 5.10.252 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.202 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.165 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.128 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.75 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.16 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.6 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/7654e6e3cd6bdee9602f6063b3c670bd556d7e61 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/47615557447185917afa432b7958f87583c417cb 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/954557957177c3c13d7c655976665b1170da5e50 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/392c6b68334aa0e0ae9aba95c0a366bcb0d92f5d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/d66b8074c555e8abb0ae19eea1c9f3635498bdde 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/90c8353f471821d7ccd4fe573a2402e056192494 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/42023d4b6d2661a40ee2dcf7e1a3528a35c638ca 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/2e4a70f3c30910427e5ea848b799066d67b963d5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report