What's the vulnerability?
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit: 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent(). 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS. 3. fastrpc_free_map() acquires map->fl->lock to safely remove the map node from the fl->maps list. The resulting use-after-free manifests as: pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388 Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure — freeing pending contexts, maps, mmaps, and the channel context reference — into the kref release callback fastrpc_user_free(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes.
Business impact & how R4IM helps
This advisory is on our active-exploitation watchlist. Attackers are using it for initial access, privilege escalation or lateral movement in real-world intrusions. R4IM's offensive security and SOC teams already have detections, exploit replicas and remediation playbooks for this issue.
Targeted vulnerability assessment to confirm which of your assets are actually exploitable — not just theoretically affected.
Our pentesters chain this CVE into realistic attack paths so you see business impact, not just a scan finding.
If the affected product is internet-facing, our AppSec team will harden it against this and related OWASP-class issues.
Continuous monitoring with custom detections for this CVE deployed across your endpoints, identity and cloud.
Recommended remediation
- Inventory all assets running the affected vendor and product, including shadow IT and third-party hosted instances.
- Apply the vendor patch or mitigation referenced in the advisories below. Where no patch exists, isolate the asset or restrict network exposure.
- Hunt for indicators of prior compromise — exploitation of this class of bug often predates public disclosure.
- Deploy detections for the exploit primitives (network signature, EDR rule, WAF rule) and re-test after remediation.
Need help executing these steps? Our team typically completes validation and remediation within a single patch cycle. Request remediation support →
Vendor & research references
- https://git.kernel.org/stable/c/5278ccd357e0d7aeeb1e76c0f3e0e02894a9897c · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- https://git.kernel.org/stable/c/c6e5c2be09f814377d7f1ce97370a5b7b3e02814 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- https://git.kernel.org/stable/c/d42679eef34dd590b694ce3b666c5e2ba10cd4bf · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- https://git.kernel.org/stable/c/df08fadcf0e5f3708365ec3b6d30b5aafd98bea1 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- https://git.kernel.org/stable/c/e1e3a05efe5954d5bad01157d79429d39a67a7ae · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- https://git.kernel.org/stable/c/e85eb5feca8e254905ffa6c57a3c99c89a674a0f · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- https://git.kernel.org/stable/c/ecea4967c2bff92c2fafbc59893f711b39f7b152 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- https://git.kernel.org/stable/c/fbe0947420eec18a84638d29468c2d563ce4e6a3 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
