Listen to this Post
The vulnerability resides in the uacce (User space ACCelerator Engine) driver of the Linux kernel. The core issue is an unsafe queue release mechanism where directly invoking the `put_queue` operation could lead to resource access after it has been freed. The fix introduces a state management system for queues to prevent this. Three distinct states are defined: UACCE_Q_ZOMBIE (initial state after allocation), UACCE_Q_INIT (active after the device is opened), and UACCE_Q_STARTED (active after an ioctl start command). The problem manifests during a forced system shutdown (poweroff -f) within a virtualized environment while accelerator hardware queues are still operational. In this race condition scenario, two kernel functions—uacce_fops_release (triggered by the shutdown) and `uacce_remove` (triggered by device removal)—execute concurrently. This concurrency causes `uacce_put_queue` to be called from `uacce_fops_release` and attempt to dereference a `ops` (operations) pointer that has already been set to NULL by the concurrently running `uacce_remove` function. The solution adds a `stop_queue` operation for the UACCE_CMD_PUT_Q command and incorporates state checks to ensure the queue is in a safe state before any operations are performed, thereby preventing the NULL pointer dereference and subsequent system crash.
Platform: Linux Kernel
Version: Versions from 5.7 up to 6.6.121, 6.6.122 to 6.12.67, and 6.12.68 to 6.18.7
Vulnerability: Use-After-Free
Severity: Medium (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
date: 2026-02-04
Prediction: Already patched in stable kernels (6.6.122, 6.12.68, 6.18.8, 6.19-rc7)
What Undercode Say:
Analytics
To determine if your system is vulnerable or has the fix applied, you can check the kernel version and the patched source code.
Check current kernel version uname -r Check if the system is running a patched version (e.g., 6.6.122 or higher) Example for RHEL-like systems: rpm -q kernel Example for Debian/Ubuntu: dpkg -l | grep linux-image Check the changelog for the specific fix commit The fix commit hash is 26c08dabe5475d99a13f353d8dd70e518de45663 sudo dmesg | grep -i "uacce" To see if the uacce module is loaded lsmod | grep uacce To view the source code change that fixes the issue (if source is available) This command searches for the state definitions introduced in the patch. grep -r "UACCE_Q_ZOMBIE" /usr/src/linux-headers-$(uname -r)/
Exploit
As of the publication date, no public exploit code has been released. The vulnerability is triggered locally by a race condition during a forced system shutdown while an accelerator is busy, leading to a denial of service. It requires local access and the ability to interact with a uacce device.
Protection from this CVE
The primary and most effective protection is to update the Linux kernel to a patched version.
On Debian/Ubuntu, update and install the patched kernel sudo apt update sudo apt upgrade linux-image-generic sudo reboot On RHEL/CentOS/Fedora, update and install the patched kernel sudo yum update kernel or sudo dnf update kernel sudo reboot If an immediate update is not possible, as a workaround, you can blacklist the uacce module if it is not required. This prevents the driver from loading, mitigating the attack vector. echo "blacklist uacce" | sudo tee /etc/modprobe.d/blacklist-uacce.conf sudo reboot Verify the module is no longer loaded: lsmod | grep uacce
Impact
Successful exploitation of this vulnerability leads to a denial of service (system crash or kernel panic). It has a high availability impact with no direct impact on system confidentiality or integrity. An attacker with local low privileges can trigger this condition, causing the system to become unavailable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
