#VU90216 Use-after-free in Linux kernel
Vulnerability identifier: #VU90216
Vulnerability risk: Low
CVSSv3.1: 7.7 [AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-416
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the cdns3_gadget_ep_disable() function in drivers/usb/cdns3/gadget.c. A local user can escalate privileges on the system.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel:
External links
http://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824
http://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643
http://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3
http://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9
http://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16
http://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d
http://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
