#VU90259 Use-after-free in Linux kernel
Vulnerability identifier: #VU90259
Vulnerability risk: Low
CVSSv3.1: 4.8 [AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-416
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the ffs_data_clear() and ffs_data_reset() functions in drivers/usb/gadget/function/f_fs.c. A local user can escalate privileges on the system.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel:
External links
http://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa
http://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919
http://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09
http://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b
http://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee
http://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645
http://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684
http://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
