This feels like a corruption bug, I'm not sure an "attacker" would act differently from a normal user here, so i'm not sure it really qualifies as a vulnerability.
If the user had to do something special to trigger corruption, I would change my mind, but I think most setups do not hit this condition (otherwise this bug would have surfaced earlier) and normal usage triggers the exact same issue as an attack.
I'd definitely a bug though, and it should definitely be fixed. the question is, should we go through the delays of private security bugfixing or fix it asap.
This feels like a corruption bug, I'm not sure an "attacker" would act differently from a normal user here, so i'm not sure it really qualifies as a vulnerability.
If the user had to do something special to trigger corruption, I would change my mind, but I think most setups do not hit this condition (otherwise this bug would have surfaced earlier) and normal usage triggers the exact same issue as an attack.
I'd definitely a bug though, and it should definitely be fixed. the question is, should we go through the delays of private security bugfixing or fix it asap.