Muchun Song

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free (UAF) vulnerability in the memory cgroup functionality of the Linux kernel. The `mem cgroup from slab obj()` function is supposed to be called under `rcu` lock or `cgroup mutex` to prevent the returned `memcg` from being freed. The fix involves adding a missing `rcu` read lock. This vulnerability was found by code inspection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.4 **Description** A use-after-free vulnerability has been identified in the Linux kernel. The issue arises when the `ipv4 mib exit net` function is called before `tcp sk exit batch` during the destruction of a net namespace, resulting in a use-after-free condition on `net->mib.net statistics` in the `tw timer handler` function. This vulnerability can lead to a real-world panic issue, as demonstrated in Linux 5.4. The bug was introduced by commit 61a7e26028b9, which put net statistics on the `struct net` and freed it when the net namespace was destroyed. **Recommendations** To resolve this issue, move `init ipv4 mibs()` to the front of `tcp init()` and replace `pr crit()` with `panic()` since continuing is meaningless when `init ipv4 mibs()` fails. As a temporary workaround, consider disabling the `tw timer handler` function until a patch is available. Restrict access to the vulnerable `net->mib.net statistics` to minimize the risk of exploitation.