Pool Retains Prior Writes

A kernel object pool returns entries to a freelist without erasing them. Each caller's writes past the next caller's expected watermark persist into entries handed to subsequent unrelated callers. The cross-caller contract is that nobody reads past their own writes; the kernel does not enforce it. Combined with any bounded out-of-bounds write into a pool entry, the residue from an attacker's earlier exec becomes a persistent attacker-controlled staging area in another process's view of the pool.