In the Linux kernel, the following vulnerability has been resolved:
rpmsg: core: fix race in driveroverrideshow() and use core helper
The driveroverrideshow function reads the driveroverride string without holding the devicelock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free.
To fix this, replace the rpmsgstringattr macro with explicit show and store functions. The new driveroverridestore uses the standard driversetoverride helper. Since the introduction of driversetoverride, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now.
Because driversetoverride modifies and frees the string while holding the devicelock, the new driveroverrideshow now correctly holds the devicelock during the read operation to prevent the race.
Additionally, since rpmsgstringattr has only ever been used for driver_override, removing the macro simplifies the code.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71274.json"
}