A concurrency use-after-free issue was discovered between reset_interrupt and floppy_end_request.
The root cause is that after deallocating current_req in floppy_end_request, reset_interrupt still holds the freed current_req->error_count and accesses it concurrently. An attacker with a local account in a system that has a floppy disk in use, mounted and has errors may be able to write to memory after having been freed. By specially curating memory requests, the attacker could place a target memory structure in this location to be modified for abuse.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):