A logic bug in the Linux kernel’s route4_change() function for route filters that lead to use-after-free (UAF). The problem has to do with how filters are added, particularly when a filter already existed on a handle and needs to be copied over to a new filter. At the top of the function, a filter is allocated, data from the previous filter is copied over if there was a previous filter on that handle, and the filter is added to a hash table. Later on, the old filter will be removed from the hash table, but only if fold->handle is non-zero. The bug here is that it’s possible to create filters with a valid handle of 0. When execution reaches the end of the function, they unconditionally free the old filter. In this situation, the old filter is left in the hash table but has been free’d, ultimately resulting in a dangling reference being left in the table.

The exploit strategy was to use this UAF to get a double free in the kmalloc-192 cache. They then used this to corrupt task credentials, similar to DirtyCred.