Ben Widawsky

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.17.0-rc2+ **Description** A potential use-after-free issue has been identified in the Linux kernel, specifically in the cxl decoder release() function. This issue arises when the function attempts to reference its parent, a cxl port, to free its id back to port->decoder ida, after the parent has been released. The device core only guarantees parent lifetime until all children are unregistered, and if a child needs a parent to complete its ->release() callback, that child needs to hold a reference to extend the lifetime of the parent. **Recommendations** For Linux kernel versions prior to 5.17.0-rc2+, consider holding a port reference until decoder release to prevent the use-after-free issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.