#VU90894 Double free in Linux kernel
Vulnerability identifier: #VU90894
Vulnerability risk: Low
CVSSv3.1: 6.8 [AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-415
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to a double free error within the qla2x00_els_dcmd_sp_free() and qla24xx_els_dcmd_iocb() functions in drivers/scsi/qla2xxx/qla_iocb.c. A local user can execute arbitrary code.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel:
External links
http://git.kernel.org/stable/c/b03e626bd6d3f0684f56ee1890d70fc9ca991c04
http://git.kernel.org/stable/c/282877633b25d67021a34169c5b5519b1d4ef65e
http://git.kernel.org/stable/c/f85af9f1aa5e2f53694a6cbe72010f754b5ff862
http://git.kernel.org/stable/c/9b43d2884b54d415caab48878b526dfe2ae9921b
http://git.kernel.org/stable/c/846fb9f112f618ec6ae181d8dae7961652574774
http://git.kernel.org/stable/c/82f522ae0d97119a43da53e0f729275691b9c525
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
