A use after free vulnerability was found in ppp_unregister_channel function. This is triggered when network namespace is removed while ppp_async channel is still registered in it and ppp_unregister_channel() tries to access its per-netns data in the defunct namespace.
An attacker who could control this memory that is being used in the defunct namespace could create a denial of service by spinlocking a CPU.
An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1335804]
This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 6, 7 realtime and MRG-2 kernels and does not plan to be addressed in a future update