M A Ramdhan

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's net/sched: cls u32 component can be exploited to achieve local privilege escalation. When `u32 change()` is called on an existing filter, the whole `tcf result` struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as `tcf unbind filter()` is always called on the old instance in the success path, decreasing `filter cnt` of the still referenced class and allowing it to be deleted, leading to a use-after-free. **Recommendations** Upgrade past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 to resolve the issue. As a temporary workaround, consider restricting access to the `net/sched: cls u32` component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability in the Linux kernel's net/sched: cls fw component can be exploited to achieve local privilege escalation. If `tcf change indev()` fails, `fw set parms()` will immediately return an error after incrementing or decrementing the reference counter in `tcf bind filter()`. If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. **Recommendations** Upgrade past commit 0323bce598eea038714f941ce2b22541c46d488f.