The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3 not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialised list entry. This is an issue in a security mechanism, not a mechanism for leverage an attack from. Upstream patch: https://github.com/torvalds/linux/commit/8a5e5e02fc83aaf67053ab53b359af08c6c49aaf Disclosure: http://www.openwall.com/lists/oss-security/2015/05/02/6
Statement: This issue affects versions of the kernel shipped with Red Hat Enterprise Linux 5, 6, 7 and MRG-2 realtime kernels. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/ .