The isotp_setsockopt in net/can/isotp.c allows a use-after-free. This leads to arbitrary kernel execution by overwriting the sk_error_report() pointer, which can be misused in order to execute a user-controlled ROP chain to gain root privileges. External Reference: https://www.openwall.com/lists/oss-security/2021/05/11/16
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1959674]