A fairly straightforward double-free issue in the Samsung Neural Processing Unit (NPU) driver. At the time the NPU driver was also reachable from untrusted, and as such made the vuln highly impactful. The main issue is in the VS4L_VERTEXIOC_S_FORMAT ioctl, which takes a format_list and copies it into a kernel-allocated buffer to perform a lookup. If you pass an invalid list, it’ll free that allocated buffer, but the problem is it was already stored in the vb_queue object which is global. Another ioctl such as VS4L_VERTEXIOC_STREAM_OFF can also free that same format_list and trigger a double free.