A race condition between pppol2tp_session_create() and l2tp_eth_create() in net/l2tp/l2tp_netlink.c in the Linux kernel. Calling l2tp_tunnel_find() may result in a new tunnel being created with tunnel id of a previous removed tunnel which wouldn't be protected by the reference counter. An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f026bc29a8e093edfbb2a77700454b285c97e8ad
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1631046]
This was fixed for Fedora with the 4.14 rebases.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-9517