Impact
The vulnerability arises in pppol2tp_ioctl() where the session pointer is read from a socket’s sk_user_data without acquiring a reference or locking the structure (CWE‑911: Use‑After‑Free). If an attacker can induce a controllable sleep during a copy_from_user call—such as via a userfaultfd page fault—while another thread closes the socket, the session can be freed asynchronously through a workqueue. When the ioctl resumes, it dereferences the stale pointer, causing a use‑after‑free that corrupts kernel memory and can be leveraged by a local attacker to execute arbitrary code with elevated privileges.
Affected Systems
All Linux kernel builds that ship with the pppol2tp module and have not incorporated the reference‑counted pppol2tp_sock_to_session helper are affected. The vulnerability applies broadly to any kernel prior to the fix commit; all earlier versions contain the unprotected ioctl path and are vulnerable.
Risk and Exploitability
The EPSS score is reported as < 1 %, indicating a very low probability of real‑world exploitation, and the flaw is not listed in the CISA KEV catalog. The CVSS score is 7.8, confirming a high severity level. Because the flaw allows kernel memory corruption via a race condition that can be triggered by local users, the overall risk is therefore classified as high severity for local attackers who can use the race condition to gain elevated privileges.
OpenCVE Enrichment