A double-free can happen in idrremoveall() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
{ "urgency": "not yet assigned" }