The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.
3.13.0-142.1914.4.0-47.68~14.04.14.4.0-47.684.4.0-1038.454.4.0-1035.395.4.0-1063.66+cvm2.25.4.0-1063.66+cvm3.25.4.0-1064.67+cvm1.15.4.0-1065.68+cvm2.15.4.0-1067.70+cvm1.15.4.0-1068.71+cvm1.15.4.0-1069.72+cvm1.15.4.0-1070.73+cvm1.15.4.0-1072.75+cvm1.15.4.0-1073.76+cvm1.1+16 more5.4.0-1033.355.4.0-1035.375.4.0-1036.385.4.0-1037.395.4.0-1039.415.4.0-1041.435.4.0-1042.445.4.0-1043.455.4.0-1044.465.4.0-1046.48+41 more5.4.0-1008.95.4.0-1009.105.4.0-1010.115.4.0-1011.125.4.0-1012.135.4.0-1013.145.4.0-1014.155.4.0-1015.165.4.0-1016.175.4.0-1018.19+68 more5.3.0-1007.85.3.0-1014.165.3.0-1015.175.3.0-1017.195.4.0-1004.45.4.0-1006.65.4.0-24.285.4.0-26.305.4.0-27.315.4.0-28.325.4.0-30.345.4.0-31.355.4.0-33.375.4.0-34.385.4.0-36.415.4.0-37.42+2 moreExploitability
AV:PAC:HPR:LUI:NScope
S:UImpact
C:HI:HA:HCVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H