The Linux kernel team has released a patch to fix a security bug that could allow an attacker to execute code with elevated privileges.
The issue — tracked as CVE-2017-15265 — is a use-after-free memory corruption issue that affects ALSA (Advanced Linux Sound Architecture), a software framework included in the Linux kernel that provides an API for sound card drivers.
In layman's terms, the bug takes place because the kernel ALSA code allowed an attacker to call a function, delete its output, but still use the output in another function. This is known as a user-after-free vulnerability, a known attack vector, and a common memory management issue.
There are good news and bad news. The good news is that the attacker needs a foothold on a vulnerable machine.
This requires infecting the user through malware or other tactics. The bad news is that the attacker can use the ALSA kernel flaw to elevate access from a limited user account to root privileges.
In unrelated news, Linus Torvalds has praised the Linux community's efforts of using fuzzing to discover and help patch new security issues.
"The other thing perhaps worth mentioning is how much random fuzzing people are doing, and it's finding things," Torvalds said.
"We've always done fuzzing (who remembers the old 'crashme' program that just generated random code and jumped to it? We used to do that quite actively very early on), but people have been doing some nice targeted fuzzing of driver subsystems etc, and there's been various fixes (not just this last week either) coming out of those efforts.
"Very nice to see," Torvalds added.