Updated: 2026-01-20
CWE: CWE-416
Description:
In the Linux kernel, the following vulnerability has been resolved: lib: cpu_rmap: Avoid use after free on rmap->obj array entries When calling irq_set_affinity_notifier() with NULL at the notify argument, it will cause freeing of the glue pointer in the corresponding array entry but will leave the pointer in the array. A subsequent call to free_irq_cpu_rmap() will try to free this entry again leading to possible use after free. Fix that by setting NULL to the array entry and checking that we have non-zero at the array entry when iterating over the array in free_irq_cpu_rmap(). The current code does not suffer from this since there are no cases where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the notify arg) is called, followed by a call to free_irq_cpu_rmap() so we don't hit and issue. Subsequent patches in this series excersize this flow, hence the required fix.
CVSS3: 7.8
| OS | Vendor version | Errata |
|---|---|---|
| Amazon Linux 2 | 4.14.318-240.529.amzn2 | ALAS2-2023-2100 |
| Ubuntu 20.04 | 5.4.0-162.179 | USN-6340-1 |
| Debian 11 | 5.10.191-1 | DSA-5480-1 |
| Ubuntu 22.04 | 5.15.0-83.92 | USN-6339-1 |
| Amazon Linux 2 5.4 | 5.4.247-161.349.amzn2 | ALAS2KERNEL-5.4-2023-047 |
| Amazon Linux 2 5.10 | 5.10.184-174.730.amzn2 | ALAS2KERNEL-5.10-2023-034 |
| Debian 12 | 6.1.37-1 | DSA-5448-1 |
| Amazon Linux 2023 | 6.1.34-56.100.amzn2023 | ALAS2023-2023-228 |
| AlmaLinux 9.2 ESU | 5.14.0-284.1101.el9_2.tuxcare.7.els28 | CLSA-2026:1771239384 |
| OS | Original kernel version | State |
|---|---|---|
| Amazon Linux 2 | |
Planned |
| Ubuntu 20.04 | |
Planned |
| Debian 11 | |
Planned |
| Ubuntu 22.04 | |
Planned |
| Amazon Linux 2 5.4 | |
Planned |
| Amazon Linux 2 5.10 | |
Planned |
| Debian 12 | |
Planned |
| Amazon Linux 2023 | |
Planned |
| AlmaLinux 9.2 ESU | |
Planned |