In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix potential double free of skb When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain: x25_queue_rx_frame returns 1 | v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0 | v x25_process_rx_frame returns queued=0 | v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again This would free the same skb twice. Looking at x25_backlog_rcv: net/x25/x25_in.c:x25_backlog_rcv() { ... queued = x25_process_rx_frame(sk, skb); ... if (!queued) kfree_skb(skb); }
When the alloc_skb function cannot allocate memory in x25_queue_rx_frame, it frees the skb buffer by calling kfree_skb and returns an error code. The error code propagates through the call chain: x25_state3_machine, x25_process_rx_frame, until x25_backlog_rcv, which upon seeing the returned value queued=0 calls kfree_skb on the same buffer a second time. The result is a classic double free error causing corruption of the internal structures of the kernel memory allocator.
An attacker can cause kernel memory corruption, which in practice can result in privilege escalation, arbitrary code execution (RCE), or system failure (kernel panic / DoS).
Patches available in the Linux kernel stable repository should be applied, as indicated in the references (commits: 143d4fa68ae9, 3f5e3005984645, 524371398d84, 5d0aa038a90b, c87dd137c0da). It is recommended to update to a kernel version containing these fixes according to your system distribution.
Linux kernel versions containing vulnerable net/x25 subsystem code — exact versions indicated in the manufacturer's references (commits on stable kernel.org).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinux2.6.127.05.16 – 6.1.168 (bez)6.2 – 6.6.134 (bez)2.6.12.1 – 5.10.253 (bez)6.13 – 6.18.22 (bez)6.19 – 6.19.12 (bez)6.7 – 6.12.81 (bez)5.11 – 5.15.203 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...