CVE-2015-7872
kernel: Keyrings crash triggerable by unprivileged user
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands.
La función key_gc_unused_keys en security/keys/gc.c en el kernel Linux hasta la versión 4.2.6 permite a usuarios locales causar una denegación de servicio (OOPS) a través de comandos keyctl manipulados.
It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system.
An update that solves 5 vulnerabilities and has two fixes is now available. This kernel live patch for Linux Kernel 3.12.43-52.6.1 fixes security issues and bugs. A negatively instantiated user key could have been used by a local user to leverage privileges. A NULL pointer dereference flaw was found in the Reliable Datagram Sockets implementation allowing a local user to cause system DoS. A verification was missing that the underlying transport exists when a connection was created. Verify the underlying transport exists before creating a connection, preventing possible DoS. Possible crash when trying to garbage collect an uninstantiated keyring. The prepend_path function in fs/dcache.c in the Linux kernel did not properly handle rename actions inside a bind mount, which allowed local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack. Non-security bugfix were also done.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-10-20 CVE Reserved
- 2015-11-10 CVE Published
- 2024-08-06 CVE Updated
- 2025-06-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-456: Missing Initialization of a Variable
CAPEC
References (47)
| URL | Tag | Source |
|---|---|---|
| http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce1fad2740c648a4340f6f6c391a8a83769d2e8c | X_refsource_confirm | |
| http://www.openwall.com/lists/oss-security/2015/10/20/6 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/77544 | Vdb Entry | |
| http://www.securitytracker.com/id/1034472 | Vdb Entry | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1272172 | X_refsource_confirm | |
| https://github.com/torvalds/linux/commit/f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 | X_refsource_confirm | |
| https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068676 | X_refsource_confirm | |
| https://source.android.com/security/bulletin/2016-12-01.html | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | <= 4.2.6 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.2.6" | - |
Affected
| ||||||