The get_instantiation_keyring function in security/keys/keyctl.c in
the KEYS subsystem in the Linux kernel before 2.6.32-rc5 does not
properly maintain the reference count of a keyring, which allows
local users to gain privileges or cause a denial of service (OOPS)
via vectors involving calls to this function without specifying a
keyring by ID, as demonstrated by a series of keyctl request2 and
keyctl list commands.