// For flags

CVE-2015-8812

kernel: CXGB3: Logic bug in return code handling prematurely frees key structures causing Use after free or kernel panic.

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets.

drivers/infiniband/hw/cxgb3/iwch_cm.c en el Kernel de Linux en versiones anteriores a 4.5 no identifica correctamente condiciones de error, lo que permite a atacantes remotos ejecutar código arbitrario o provocar una denegación de servicio (uso después de liberación de memoria) a través de paquetes manipulados.

A use-after-free flaw was found in the CXGB3 kernel driver when the network was considered to be congested. The kernel incorrectly misinterpreted the congestion as an error condition and incorrectly freed or cleaned up the socket buffer (skb). When the device then sent the skb's queued data, these structures were referenced. A local attacker could use this flaw to panic the system (denial of service) or, with a local account, escalate their privileges.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-02-11 CVE Reserved
  • 2016-03-04 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-08-31 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-416: Use After Free
CAPEC
References (37)
URL Tag Source
http://www.openwall.com/lists/oss-security/2016/02/11/1 Mailing List
http://www.securityfocus.com/bid/83218 Third Party Advisory
URL Date SRC
URL Date SRC
https://github.com/torvalds/linux/commit/67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 2023-01-19
URL Date SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00015.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00019.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00025.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00026.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00027.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00028.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00029.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00030.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00031.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00032.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00033.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00034.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00036.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00037.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00005.html 2023-01-19
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00038.html 2023-01-19
http://rhn.redhat.com/errata/RHSA-2016-2574.html 2023-01-19
http://rhn.redhat.com/errata/RHSA-2016-2584.html 2023-01-19
http://www.debian.org/security/2016/dsa-3503 2023-01-19
http://www.ubuntu.com/usn/USN-2946-1 2023-01-19
http://www.ubuntu.com/usn/USN-2946-2 2023-01-19
http://www.ubuntu.com/usn/USN-2947-1 2023-01-19
http://www.ubuntu.com/usn/USN-2947-2 2023-01-19
http://www.ubuntu.com/usn/USN-2947-3 2023-01-19
http://www.ubuntu.com/usn/USN-2948-1 2023-01-19
http://www.ubuntu.com/usn/USN-2948-2 2023-01-19
http://www.ubuntu.com/usn/USN-2949-1 2023-01-19
http://www.ubuntu.com/usn/USN-2967-1 2023-01-19
http://www.ubuntu.com/usn/USN-2967-2 2023-01-19
https://bugzilla.redhat.com/show_bug.cgi?id=1303532 2016-11-03
https://access.redhat.com/security/cve/CVE-2015-8812 2016-11-03
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Novell
Search vendor "Novell"
 Suse Linux Enterprise Real Time Extension
Search vendor "Novell" for product "Suse Linux Enterprise Real Time Extension"
 12
Search vendor "Novell" for product "Suse Linux Enterprise Real Time Extension" and version "12"
sp1
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 3.2.78
Search vendor "Linux" for product "Linux Kernel" and version " < 3.2.78"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.3 < 3.10.99
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.99"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.11 < 3.12.56
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.56"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.13 < 3.14.63
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.63"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.15 < 3.16.35
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 3.16.35"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.17 < 3.18.31
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.31"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.19 < 4.1.22
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.22"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.2.0 < 4.4.4
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2.0 < 4.4.4"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 12.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
esm
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 15.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10"
-
Affected