Fixed
Created: Dec 10, 2025
Updated: Dec 11, 2025
Resolved Date: Dec 10, 2025
Found In Version: 10.22.33.1
Fix Version: 10.22.33.8
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()[EOL][EOL]Wear-leveling entry could be freed in error path, which may be accessed[EOL]again in eraseblk_count_seq_show(), for example:[EOL][EOL]__erase_worker eraseblk_count_seq_show[EOL] wl = ubi->lookuptbl[*block_number][EOL]\t\t\t\tif (wl)[EOL] wl_entry_destroy[EOL] ubi->lookuptbl[e->pnum] = NULL[EOL] kmem_cache_free(ubi_wl_entry_slab, e)[EOL]\t\t erase_count = wl->ec // UAF![EOL][EOL]Wear-leveling entry updating/accessing in ubi->lookuptbl should be[EOL]protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize[EOL]wl entry accessing between wl_entry_destroy() and[EOL]eraseblk_count_seq_show().[EOL][EOL]Fetch a reproducer in [Link].
