The __scm_destroy function in net/core/scm.c in the Linux kernel 126.96.36.199,
2.6.26, and earlier makes indirect recursive calls to itself through calls
to the fput function, which allows local users to cause a denial of service
(panic) via vectors related to sending an SCM_RIGHTS message through a UNIX
domain socket and closing file descriptors.
It was discovered that the Unix Socket handler did not correctly process
the SCM_RIGHTS message. A local attacker could make a malicious socket
request that would crash the system, leading to a denial of service.
kees> raised priority due to public PoC
Updated: 2016-09-21 16:14:45 UTC (commit 11514)