CVE-2015-8660

Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Local Privilege Escalation

Severity Score

6.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

La función ovl_setattr en fs/overlayfs/inode.c en el kernel de Linux hasta la versión 4.3.3 trata de fusionar distintas operaciones setattr, lo que permite a usuarios locales eludir las restricciones destinadas al acceso y modificar los atributos de archivos overlay arbitrarios a través de una aplicación manipulada.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. A flaw was found in the Linux kernel's keyring handling code, where in key_reject_and_link() an uninitialised variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-12-23 CVE Reserved
2015-12-28 CVE Published
2016-01-06 First Exploit
2024-08-06 CVE Updated
2025-07-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-264: Permissions, Privileges, and Access Controls
CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (29)

URL	Tag	Source
http://packetstormsecurity.com/files/135151/Ubuntu-14.04-LTS-15.10-overlayfs-Local-Root.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/12/23/5	Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html	Third Party Advisory
http://www.securityfocus.com/bid/79671	Third Party Advisory
http://www.securitytracker.com/id/1034548	Third Party Advisory

URL	Date	SRC
https://packetstorm.news/files/id/135151	2016-01-06
https://packetstorm.news/files/id/139474	2016-11-01
https://www.exploit-db.com/exploits/40688	2024-08-06
https://www.exploit-db.com/exploits/39230	2024-08-06
https://www.exploit-db.com/exploits/39166	2024-08-06
https://github.com/whu-enjoy/CVE-2015-8660	2016-05-17
https://github.com/nhamle2/CVE-2015-8660	2023-01-15
https://github.com/carradolly/CVE-2015-8660	2024-09-11

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=acff81ec2c79492b180fade3c2894425cd35a545	2023-06-07
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00039.html	2023-06-07
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00040.html	2023-06-07
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00043.html	2023-06-07
http://rhn.redhat.com/errata/RHSA-2016-1532.html	2023-06-07
http://rhn.redhat.com/errata/RHSA-2016-1539.html	2023-06-07
http://rhn.redhat.com/errata/RHSA-2016-1541.html	2023-06-07
http://www.ubuntu.com/usn/USN-2857-1	2023-06-07
http://www.ubuntu.com/usn/USN-2857-2	2023-06-07
http://www.ubuntu.com/usn/USN-2858-1	2023-06-07
http://www.ubuntu.com/usn/USN-2858-2	2023-06-07
http://www.ubuntu.com/usn/USN-2858-3	2023-06-07
https://bugzilla.redhat.com/show_bug.cgi?id=1291329	2016-08-02
https://github.com/torvalds/linux/commit/acff81ec2c79492b180fade3c2894425cd35a545	2023-06-07
https://access.redhat.com/security/cve/CVE-2015-8660	2016-08-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.18 < 3.18.31 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.18 < 3.18.31"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 4.1.22 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.22"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 4.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.4"		-		Affected