A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an malicious user to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
linux linux kernel 6.5 |
||
linux linux kernel |
||
fedoraproject fedora 38 |
||
redhat enterprise linux 8.0 |
||
redhat enterprise linux 9.0 |