CVE-2025-71274
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Linux Kernel RPMSG Driver Override

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rpmsg: core: fix race in driver_override_show() and use core helper The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71274
EUVD
EUVD-2025-209674
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability has been fixed by updating the Linux kernel to a version where the race condition in the driver_override_show function is resolved.

To mitigate this vulnerability, you should update your Linux kernel to the fixed version that includes the patch replacing the rpmsg_string_attr macro with explicit show and store functions, ensuring proper locking with device_lock.

Executive Summary

This vulnerability exists in the Linux kernel's rpmsg core, specifically in the driver_override_show() function. The issue is a race condition caused because driver_override_show() reads a string without holding the device_lock, while the corresponding store function modifies and frees that string while holding the device_lock. This can lead to a use-after-free scenario where the string is freed during the read operation, potentially causing undefined behavior or crashes.

The fix involved replacing the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_show() function now holds the device_lock during the read to prevent the race, and the store function uses the standard driver_set_override helper, which properly manages the locking and string modifications.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited. The race condition in handling the driver_override string could be triggered under certain conditions, impacting the reliability and security of the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart