Candidate: CVE-2005-2709 References: CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=blob_plain;h=5dbbdc13a7bdbc132de44bc00e13079afaf033d0;f=2.6.14.1/cve-2005-2709-sysctl-unregistration-oops.patch Description: From: Al Viro . You could open the /proc/sys/net/ipv4/conf// file, then wait for interface to go away, try to grab as much memory as possible in hope to hit the (kfreed) ctl_table. Then fill it with pointers to your function. Then do read from file you've opened and if you are lucky, you'll get it called as ->proc_handler() in kernel mode. Notes: CVE is reserved, so we can't take the description from there yet . dannf> arch/s390/appldata/appldata_base.c doesn't exist in 2.4, so I dropped dannf> that hunk in my backport . **THIS IS AN ABI CHANGE** Bug: upstream: released (2.6.14.1), released (2.4.33-pre1) linux-2.6: released (2.6.14-3) 2.6.8-sarge-security: released (2.6.8-16sarge2) [sysctl-unregistration-oops.dpatch] 2.4.27-sarge-security: released (2.4.27-10sarge2) [196_sysctl-unregistration-oops.patch] 2.4.19-woody-security: 2.4.18-woody-security: 2.4.17-woody-security: 2.4.16-woody-security: 2.4.17-woody-security-hppa: 2.4.17-woody-security-ia64: 2.4.18-woody-security-hppa: