HIGH
fsl-mc DriverOverride UAF
CVE-2026-23221
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the device_lock around the read operation.
02KernelScan AI Analysis
Risk summary
An attacker with local access can trigger a use-after-free condition by simultaneously reading and writing to the driver_override sysfs attribute. This could lead to system crashes, memory corruption, or potentially code execution with kernel privileges. The vulnerability primarily affects embedded systems and network appliances using NXP Layerscape processors.
Vulnerability analysis
Summary: Race condition in FSL-MC bus driver_override sysfs attribute access leading to use-after-free vulnerability
Root Cause: The driver_override_show() function reads the driver_override string without holding the device_lock, while driver_override_store() modifies and frees the same string while holding the device_lock. This creates a race condition where the show function can access freed memory if the store function deallocates the string concurrently.
Attack Surface: Local access required to sysfs filesystem (/sys/bus/fsl-mc/devices/*/driver_override). Attackers need ability to read and write sysfs attributes simultaneously from multiple threads/processes. Affects systems with FSL-MC (Freescale Management Complex) hardware, typically NXP Layerscape SoCs used in networking and automotive applications.
Fix Mechanism: The patch adds proper locking by acquiring device_lock before reading the driver_override string in driver_override_show() and releasing it after the read operation completes. This ensures mutual exclusion with the store operation that already holds the same lock, preventing concurrent access to the string during modification/deallocation.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.201 | c71dfb7833db |
| 6.1 | 6.1.164 | c424e72cfa67 |
| 6.12 | 6.12.74 | dd8ba8c0c3f3 |
| 6.18 | 6.18.11 | 1d6bd6183e72 |
| 6.19 | 6.19.1 | a2ae33e1c636 |
| 6.6 | 6.6.127 | b19838402873 |
| mainline | 7.0 | 148891e95014 |