A use-after-free vulnerability in the Linux kernel’s device tree unit test mechanism presents a significant risk for local privilege escalation and system compromise.

This use-after-free vulnerability occurs in the device tree unit test code, where the parent variable can reference a device node that has already been freed. This occurs because the of_node_put() call is incorrectly sequenced during the test.

With a CVSS score of 8.4, this vulnerability is highly severe. A local attacker capable of triggering the device tree unit test can exploit this memory management flaw to execute arbitrary code with kernel-level privileges. This results in complete system compromise and the ability to bypass all user-space security controls.

Immediate Action: Update the Linux kernel to a version that includes the patch ensuring of_node_put() is called only after all accesses to the parent variable are completed.

Proactive Monitoring: Monitor for suspicious attempts to interact with kernel debugging or unit test interfaces.

Compensating Controls: Disable unnecessary kernel debugging features and unit test modules in production environments to minimize the attack surface.

Public Exploit Available: false

Kernel patches are critical for maintaining system integrity. Organizations should verify their current kernel versions against vendor advisories and apply the necessary updates to prevent local attackers from leveraging this memory management flaw to gain elevated control.