Calvin Owens

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to the fixed version **Description** A use-after-free issue has been identified in the Linux kernel, specifically in the pps (pulse per second) subsystem. This issue occurs when the `pps device destruct()` function frees the `pps device` with the embedded `cdev` immediately after calling `cdev del()`, but the file operations for previously opened `cdevs` are still callable even after `cdev del()` returns. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Linux kernel versions prior to the fixed version, consider applying the patch that removes the embedded `cdev` and uses ` register chrdev()` with `pps idr` as the source of truth for which minor corresponds to which device. Additionally, ensure that the `pps->dev` refcount cannot reach zero while userspace can still find it again by moving the `idr remove()` call to `pps unregister cdev()` and having `pps idr` hold a reference to `pps->dev`.