Ilya Maximets

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A slab-use-after-free issue was reported in the Linux kernel, specifically in the `dst destroy` function. The problem occurs when the `net` structure is freed before all the `dst` callbacks are called, causing the `dst->ops` pointer to point to the old, already freed `net->xfrm.xfrm[46] dst ops`. This issue is related to the `xfrm6 net init` and `xfrm4 net init` functions, which copy the `xfrm[46] dst ops template` into `net->xfrm.xfrm[46] dst ops`. A fix is to queue the `struct net` to be freed after another `cleanup net` round. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.74 or later. As a temporary workaround, consider disabling the `dst destroy` function until a patch is available. Restrict access to the vulnerable `net` structure to minimize the risk of exploitation. Avoid using the `xfrm[46] dst ops template` in the affected `xfrm6 net init` and `xfrm4 net init` functions until the issue is resolved.