An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.
4.15.0-1037.39~14.04.24.4.0-157.1854.4.0-1090.1014.15.0-1032.34~16.04.14.15.0-1037.39~16.04.14.15.0-1027.28~16.04.14.15.0-45.48~16.04.14.4.0-1052.594.4.0-1117.1264.4.0-1121.127Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:HI:HA:HCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H