CVE-2025-71274

Source
https://cve.org/CVERecord?id=CVE-2025-71274
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71274.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-71274
Downstream
Published
2026-05-06T11:27:07.525Z
Modified
2026-06-18T03:54:43.976739895Z
Summary
rpmsg: core: fix race in driver_override_show() and use core helper
Details

In the Linux kernel, the following vulnerability has been resolved:

rpmsg: core: fix race in driveroverrideshow() and use core helper

The driveroverrideshow function reads the driveroverride string without holding the devicelock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free.

To fix this, replace the rpmsgstringattr macro with explicit show and store functions. The new driveroverridestore uses the standard driversetoverride helper. Since the introduction of driversetoverride, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now.

Because driversetoverride modifies and frees the string while holding the devicelock, the new driveroverrideshow now correctly holds the devicelock during the read operation to prevent the race.

Additionally, since rpmsgstringattr has only ever been used for driver_override, removing the macro simplifies the code.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71274.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
39e47767ec9b22f844c2a07c9d329256960d4021
Fixed
392c6b68334aa0e0ae9aba95c0a366bcb0d92f5d
Fixed
d66b8074c555e8abb0ae19eea1c9f3635498bdde
Fixed
47615557447185917afa432b7958f87583c417cb
Fixed
90c8353f471821d7ccd4fe573a2402e056192494
Fixed
7654e6e3cd6bdee9602f6063b3c670bd556d7e61
Fixed
2e4a70f3c30910427e5ea848b799066d67b963d5
Fixed
954557957177c3c13d7c655976665b1170da5e50
Fixed
42023d4b6d2661a40ee2dcf7e1a3528a35c638ca

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71274.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.18.0
Fixed
5.10.252
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.202
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.165
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71274.json"