CVE-2025-71274 Overview
CVE-2025-71274 is a race condition vulnerability in the Linux kernel's Remote Processor Messaging (rpmsg) core subsystem. The flaw exists in the driver_override_show() function, which reads the driver_override string without holding the device_lock. Concurrently, the corresponding store function modifies and frees the same string while holding the lock. This mismatch creates a use-after-free condition where a reader can access memory freed by a writer. The vulnerability has been resolved in the upstream Linux kernel through multiple stable backports.
Critical Impact
A local attacker with the ability to read and write the driver_override sysfs attribute concurrently can trigger a use-after-free in kernel memory, potentially leading to information disclosure or kernel memory corruption.
Affected Products
- Linux kernel rpmsg core subsystem (drivers/rpmsg/rpmsg_core.c)
- Linux kernel versions prior to the fix commits referenced in kernel.org stable trees
- Distributions shipping kernels that include the rpmsg_string_attr macro implementation
Discovery Timeline
- 2026-05-06 - CVE-2025-71274 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-71274
Vulnerability Analysis
The rpmsg subsystem exposes a driver_override sysfs attribute that allows userspace to bind a specific driver to an rpmsg device. The attribute was implemented through the rpmsg_string_attr macro, which generated both show and store callbacks. The store callback acquired device_lock, replaced the string pointer, and freed the previous allocation. The show callback, however, read the same pointer without any synchronization.
When one thread reads /sys/bus/rpmsg/devices/<dev>/driver_override while another writes to it, the reader can dereference a pointer to memory that the writer has already released through kfree(). This is a classic use-after-free pattern stemming from inconsistent locking discipline between paired sysfs operations.
Root Cause
The root cause is a missing lock acquisition in driver_override_show(). The include/linux/rpmsg.h header documented that driver_set_override must be used to manipulate the driver_override field, but the rpmsg core never adopted that helper. As a result, the show path operated lock-free while the store path mutated the buffer under device_lock, violating the invariant required for safe concurrent access.
Attack Vector
The vulnerability is reachable from local userspace processes that have write access to the driver_override sysfs file, which typically requires root or CAP_SYS_ADMIN. An attacker races a reader thread against a writer thread on the same attribute. Successful exploitation requires winning the race window between kfree() of the old string in the store path and the sprintf() read in the show path.
The fix replaces the rpmsg_string_attr macro with explicit driver_override_show and driver_override_store functions. The new store function calls the standard driver_set_override helper, and the new show function holds device_lock for the duration of the read. Refer to the Linux Kernel Commit 2e4a70f3c309 for the canonical patch.
Detection Methods for CVE-2025-71274
Indicators of Compromise
- Kernel oops or KASAN reports referencing driver_override_show or rpmsg_core with use-after-free signatures
- Unexpected processes opening or writing /sys/bus/rpmsg/devices/*/driver_override outside normal device provisioning workflows
- Kernel panics correlated with concurrent sysfs access to rpmsg device attributes
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on test and staging kernels to surface use-after-free conditions in the rpmsg path
- Audit kernel versions across the fleet against the fix commits listed in the kernel.org stable trees
- Monitor dmesg for rpmsg subsystem warnings and slab corruption messages
Monitoring Recommendations
- Track auditd events for open and write syscalls targeting /sys/bus/rpmsg/devices/*/driver_override
- Alert on unexpected loading of rpmsg client drivers on systems where the subsystem is not part of normal operation
- Correlate kernel crash telemetry with running kernel build identifiers to identify unpatched hosts
How to Mitigate CVE-2025-71274
Immediate Actions Required
- Inventory Linux hosts running kernels that include the rpmsg subsystem and identify versions predating the fix
- Apply the upstream stable kernel update that incorporates the driver_override_show locking fix
- Restrict write permissions on rpmsg sysfs attributes to trusted administrative accounts only
Patch Information
The vulnerability is fixed across multiple stable branches. The relevant upstream commits include 2e4a70f3c309, 392c6b68334a, 42023d4b6d26, 4761555744718, 7654e6e3cd6b, 90c8353f4718, 954557957177, and d66b8074c555. Update to the corresponding stable release for your kernel branch.
Workarounds
- If patching is not immediately possible, restrict access to /sys/bus/rpmsg/devices/*/driver_override using filesystem permissions or Mandatory Access Control policies (SELinux, AppArmor)
- Where rpmsg functionality is not required, unload or blacklist the rpmsg_core module to remove the attack surface
- Enforce least-privilege for processes capable of writing rpmsg sysfs attributes by avoiding unnecessary CAP_SYS_ADMIN grants
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
