Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error. Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809167 Upstream commit: https://salsa.debian.org/debian/cron/commit/40791b93
I do not think there is such code in cronie or the vixie-cron shipped in RHEL or Fedora.
This seems to be caused by a downstream patch applied to Debian/Ubuntu and, as also said in comment 1, Fedora/RHEL are not affected by this flaw as they simply don't have the vulnerable code.
Created cronie tracking bugs for this issue: Affects: fedora-all [bug 1711927]
Statement: This issue did not affect the versions of vixie-cron as shipped with Red Hat Enterprise Linux 5 as they did not include the vulnerable code. This issue did not affect the versions of cronie as shipped with Red Hat Enterprise Linux 6, 7, and 8 as they did not include the vulnerable code.