The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3 not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialised list entry.
This is an issue in a security mechanism, not a mechanism for leverage an attack from.
This issue affects versions of the kernel shipped with Red Hat Enterprise
Linux 5, 6, 7 and MRG-2 realtime kernels.
This has been rated as having Moderate security impact and is not currently
planned to be addressed in future updates. For additional information, refer
to the Red Hat Enterprise Linux Life Cycle: