The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.
3.13.0-137.1864.4.0-1005.54.4.0-103.126~14.04.14.4.0-103.1264.4.0-1043.524.11.0-1016.164.4.0-9020.214.13.0-1002.54.13.0-32.35~16.04.14.4.0-1012.17Exploitability
AV:LAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:HCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H