The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable.
Exploitability
AV:LAC:LPR:LUI:NScope
S:UImpact
C:NI:HA:N5.5/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N