In pppol2tpcreate of l2tpppp.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 708.0, "function_hash": "293984007239053792393002895464783282289" }, "id": "PUB-A-186777253-041ee520", "source": "https://android.googlesource.com/kernel/common/+/d02ba2a6110c5", "deprecated": false, "signature_version": "v1", "target": { "file": "net/l2tp/l2tp_ppp.c", "function": "pppol2tp_release" }, "signature_type": "Function" }, { "digest": { "length": 43.0, "function_hash": "294323057906760878418382000322794272363" }, "id": "PUB-A-186777253-2e567b5b", "source": "https://android.googlesource.com/kernel/common/+/d02ba2a6110c5", "deprecated": false, "signature_version": "v1", "target": { "file": "net/l2tp/l2tp_ppp.c", "function": "pppol2tp_session_close" }, "signature_type": "Function" }, { "digest": { "length": 3544.0, "function_hash": "179991157583453353224773042644488684840" }, "id": "PUB-A-186777253-a6479973", "source": "https://android.googlesource.com/kernel/common/+/d02ba2a6110c5", "deprecated": false, "signature_version": "v1", "target": { "file": "net/l2tp/l2tp_ppp.c", "function": "pppol2tp_connect" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "182575051683400380894931960465293460270", "178685753806527130145939611568819884419", "1850072516964299076477752515431673895", "332746003126512090385663152750660538099", "206715486598414753925392972716920301690", "71400679277680896932837079796425395426", "52746169369468941750131996301860850276", "47713611854444832082430249605267926768", "312358480221979996624868449781133313041", "116484125823057526067427707721472790146", "36066541622731380503384552113773384435", "140185265788267237192731343539310953229", "34664956656419341483458889974431153939", "295647392400199681034677004623530328573", "242692838826234447879834060495856024542", "309854533319731977087622714040827150998", "260525937409788536081871254994411721615", "325981076631152990338264140109668736596", "280884623113486045427139145984924434869", "20950005889287422430746244900880981558", "199177039509902887901200996447003166286", "87982770161656980593901281082091981266", "290949446441369329208060232601829821831", "57367772676137029855556717275743339173", "340156842807021020085066718868762490465", "101687731321824427313606518344132316024", "22980883861224778956930368535141501497", "115447318389753219609202532772862615552", "155719772197767006418480617187557229696", "39807439234609645250469819326420967718", "300382491838275244404742426395349211203", "77406491546908208741540789261563928343" ] }, "id": "PUB-A-186777253-cfc1c5c7", "source": "https://android.googlesource.com/kernel/common/+/d02ba2a6110c5", "deprecated": false, "signature_version": "v1", "target": { "file": "net/l2tp/l2tp_ppp.c" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/d02ba2a6110c5" ], "spl": "2022-12-05", "severity": "Moderate", "types": [ "EoP" ] }