The tcpdisconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (tcpselectwindow divide-by-zero error and system crash) by triggering a disconnect within a certain tcprecvmsg code path.
{ "urgency": "not yet assigned" }