A vulnerability has been found in Linux Kernel in tst_timer in drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free.
There are use-after-free bugs caused by tst_timer. The root cause
is that there are no functions to stop tst_timer in idt77252_exit().
One of the possible race conditions is shown below:
(thread 1) | (thread 2)
| mod_timer(&card->tst_timer, ...)
idt77252_exit | (wait a time)
kfree(card) // FREE |
| card->soft_tst[e] // USE
The idt77252_dev is deallocated in idt77252_exit() and used in
There was no shipped kernel version that was seen affected by this problem.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):