CVE-2020-25220

HIGH

Linux Kernel 4.9.0-4.9.232 - Use-After-Free in cgroups Feature

Title source: llm
STIX 2.1

Description

The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch. This is related to the cgroups feature.

References (9)

Core 9
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1868453
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.spinics.net/lists/stable/msg405099.html
Release Notes, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.233
Release Notes, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.194
Release Notes, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.140
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20201001-0004/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html

Scores

CVSS v3 7.8
EPSS 0.0045
EPSS Percentile 36.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (1)
linux/linux_kernel 4.9.0 - 4.9.233
Published Sep 10, 2020
Tracked Since Feb 18, 2026