This doesn't look good for android users we will see a lot of leaked photos

It's important to actually read these kernel alerts. So, old androids are in zero danger from this, because this comes with kernel 3.8 or later only. They are in danger from every other known exploit for unpatched androids, but given the dispersion of android systems, and the consistent failure by phone vendors to apply timely updates to their android releases, it's best to just think of all non google sourced android systems as essentially vulnerable. And not just old, I have an android 4.4.2, recently updated, which runs linux 3.4, ie, zero risk from this exploit.

The vulnerability is notable because it's exploitable in a wide array of settings. On servers, people with local access can exploit it to achieve complete root access. On smartphones running Android versions KitKat and later, it can allow a malicious app to break out of the normal security sandbox to gain control of underlying OS functions.

[arstechnica.com...]

I'm not convinced this explanation is technically right because they tend to be extremely sloppy in their reporting. I read the actual report:

[perception-point.io...]

but I'm not up on the specifics enough to know if this is truly a local only exploit, which almost ALL are, by the way, and thus of almost no risk to web servers etc, or if it can be exploited via ssh or ssl or apache etc.

However, if it's only local access, which means, you're sitting at the machine typing into its terminal/console, then the risk to servers is close to zero, and, again, the server would have to be running that kernel, which most servers probably aren't doing, since they are long term frozen pool releases. Depends. I've always laughed at local only exploits because the entire notion is so absurd, as I like to note, if someone is sitting directly in front of your system with access to the hardware, you have much bigger security issues than a tiny weakness in the kernel, since they already have your machine, lol.

Same for android risk, google expressed very little concern about the issue, saying it doesn't apply to most android releases.

Of course, android is already long since established as the windows of mobile phone security, so it's not like patching this in your android would suddenly make android secure.

Thanks lizardx.

Is 4.3.3 vulnerable to this? I'm having trouble figuring out exactly when this was fixed.

"The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands. "
[cve.mitre.org...]

so the answer is yes, from 3.8 to 4.4.0, unless the kernel/distro/android maintainer backported the patches to fix it, or if greg kh long term release branches had those backported AND the distro/android distributor updated their kernels, which is impossible to answer. Just adding this for historical purposes.