In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Type: Secondary
Exploitability Score: 1.8
Impact Score: 5.9
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
NVD-CWE-noinfo
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b4032b840> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdcf6a7c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bddf50400> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b4032b7c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b40328040> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b40329200> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bddf52840> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdcf68440> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b40328500> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b40329000> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bddf539c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bddf53440> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bddf51800> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |