CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9576 – kernel: Use after free in SCSI generic device interface
https://notcve.org/view.php?id=CVE-2016-9576
The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device. La función blk_rq_map_user_iov en block/blk-map.c en el kernel de Linux en versiones anteriores a 4.8.14 no restringe adecuadamente el tipo de iterador, lo que permite a usuarios locales leer o escribir a ubicaciones de memoria del kernel arbitrarias o provocar una denegación de servicio (uso después de liberación de memoria) aprovechando acceso a un dispositivo /dev/sg. It was found that the blk_rq_map_user_iov() function in the Linux kernel's block device implementation did not properly restrict the type of iterator, which could allow a local attacker to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging write access to a /dev/sg device. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a0ac402cfcdc904f9772e1762b3fda112dcc56a0 http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00040.html http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00057.html http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00062.html http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00072.html http://lists.opensuse.org • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9755
https://notcve.org/view.php?id=CVE-2016-9755
The netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 reassembly, which allows local users to cause a denial of service (integer overflow, out-of-bounds write, and GPF) or possibly have unspecified other impact via a crafted application that makes socket, connect, and writev system calls, related to net/ipv6/netfilter/nf_conntrack_reasm.c and net/ipv6/netfilter/nf_defrag_ipv6_hooks.c. El subsistema netfilter en el kernel de Linux en versiones anteriores a 4.9 no maneja adecuadamente reensamblaje IPv6, lo que permite a usuarios locales provocar una denegación de servicio (desbordamiento de entero, escritura fuera de límites y GPF) o posiblemente tener otro impacto no especificado a través de una aplicación manipulada que hace un socket, conecta y escribe llamadas al sistema, relacionado con net/ipv6/netfilter/nf_conntrack_reasm.c y net/ipv6/netfilter/nf_defrag_ipv6_hooks.c. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa http://www.openwall.com/lists/oss-security/2016/12/01/10 http://www.securityfocus.com/bid/94626 https://bugzilla.redhat.com/show_bug.cgi?id=1400904 https://github.com/torvalds/linux/commit/9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa https://groups.google.com/forum/#%21topic/syzkaller/GFbGpX7nTEo https://www.spinics.net/lists/netdev/msg407525.html • CWE-787: Out-of-bounds Write •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6213 – kernel: Overflowing kernel mount table using shared bind mount
https://notcve.org/view.php?id=CVE-2016-6213
fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts. fs/namespace.c en el kernel de Linux en versiones anteriores a 4.9 no restringe la cantidad de montajes que pueden existir en un espacio de nombre del montaje, lo que permite a usuarios locales provocar una denegación de servicio (consumo de memoria y punto muerto) a través de llamadas al sistema de montaje MS_BIND, según lo demostrado por un bucle que desencadena un crecimiento exponencial en el número de montajes. It was found that in Linux kernel the mount table expands by a power-of-two with each bind mount command. If a system is configured to allow non-privileged user to do bind mounts, or allows to do so in a container or unprivileged mount namespace, then non-privileged user is able to cause a local DoS by overflowing the mount table, which causes a deadlock for the whole system. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d29216842a85c7970c536108e093963f02714498 http://www.openwall.com/lists/oss-security/2016/07/13/8 http://www.securityfocus.com/bid/91754 https://access.redhat.com/errata/RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:2077 https://bugzilla.redhat.com/show_bug.cgi?id=1356471 https://github.com/torvalds/linux/commit/d29216842a85c7970c536108e093963f02714498 https://access.redhat.com/security/cve/CVE-2016-6213 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8966
https://notcve.org/view.php?id=CVE-2015-8966
arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 4.4 allows local users to gain privileges via a crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3) F_OFD_SETLKW command in an fcntl64 system call. arch/arm/kernel/sys_oabi-compat.c en el kernel de Linux en versiones anteriores a 4.4 permite a usuarios locales obtener privilegios a través de un comando (1) F_OFD_GETLK, (2) F_OFD_SETLK o (3) F_OFD_SETLKW manipulado en una llamada de sistema fcntl64. • http://source.android.com/security/bulletin/2016-12-01.html http://www.securityfocus.com/bid/94673 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=76cc404bfdc0d419c720de4daaf2584542734f42 https://github.com/torvalds/linux/commit/76cc404bfdc0d419c720de4daaf2584542734f42 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.3EPSS: 0%CPEs: 5EXPL: 0CVE-2016-9120
https://notcve.org/view.php?id=CVE-2016-9120
Race condition in the ion_ioctl function in drivers/staging/android/ion/ion.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) by calling ION_IOC_FREE on two CPUs at the same time. Condición de carrera en la función ion_ioctl en drivers/staging/android/ion/ion.c en el kernel de Linux en versiones anteriores a 4.6 permite a usuarios locales obtener privilegios o provocar una denegación de servicio (uso después de liberación de memoria) llamando a ION_IOC_FREE en dos CPUs al mismo tiempo. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 http://source.android.com/security/bulletin/2016-12-01.html http://www.securityfocus.com/bid/94669 https://github.com/torvalds/linux/commit/9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 • CWE-264: Permissions, Privileges, and Access Controls CWE-416: Use After Free •