CVE-2016-0728
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation
Severity Score
7.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
14
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.
La función join_session_keyring en security/keys/process_keys.c en el kernel de Linux en versiones anteriores a 4.4.1 no maneja correctamente referencias a objetos en un cierto caso de error, lo que permite a usuarios locales obtener privilegios o provocar una denegación de servicio (desbordamiento de entero y uso después de liberación) a través de comandos keyctl manipulados.
A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system.
The kernel packages contain the Linux kernel, the core of any Linux operating system. It was found that the x86 ISA is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way delivering of benign exceptions such as #DB is handled. A privileged user inside a guest could use this flaw to create denial of service conditions on the host kernel. A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2015-12-16 CVE Reserved
- 2016-01-19 CVE Published
- 2016-01-19 First Exploit
- 2024-08-05 CVE Updated
- 2025-05-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-416: Use After Free
CAPEC
References (57)
| URL | Tag | Source |
|---|---|---|
| http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728 | Third Party Advisory | |
| http://www.openwall.com/lists/oss-security/2016/01/19/2 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html | Third Party Advisory |
|
| http://www.securityfocus.com/bid/81054 | Third Party Advisory | |
| http://www.securitytracker.com/id/1034701 | Third Party Advisory | |
| https://bto.bluecoat.com/security-advisory/sa112 | Third Party Advisory | |
| https://github.com/torvalds/linux/commit/23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 | Third Party Advisory | |
| https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05130958 | Third Party Advisory | |
| https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380 | Third Party Advisory | |
| https://security.netapp.com/advisory/ntap-20160211-0001 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/135330 | 2016-01-20 | |
| https://packetstorm.news/files/id/137633 | 2016-01-19 | |
| https://www.exploit-db.com/exploits/39277 | 2024-08-05 | |
| https://www.exploit-db.com/exploits/40003 | 2016-06-22 | |
| https://github.com/hal0taso/CVE-2016-0728 | 2017-05-24 | |
| https://github.com/googleweb/CVE-2016-0728 | 2016-01-20 | |
| https://github.com/th30d00r/Linux-Vulnerability-CVE-2016-0728-and-Exploit | 2020-05-12 | |
| https://github.com/kennetham/cve_2016_0728 | 2018-01-04 | |
| https://github.com/nardholio/cve-2016-0728 | 2024-07-27 | |
| https://github.com/neuschaefer/cve-2016-0728-testbed | 2023-02-16 | |
| https://github.com/bittorrent3389/cve-2016-0728 | 2023-01-10 | |
| https://github.com/sugarvillela/CVE | 2018-12-11 | |
| https://github.com/tndud042713/cve | 2022-08-15 | |
| https://github.com/sidrk01/cve-2016-0728 | 2022-12-04 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.0 Search vendor "Google" for product "Android" and version "4.0" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.0.1 Search vendor "Google" for product "Android" and version "4.0.1" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.0.2 Search vendor "Google" for product "Android" and version "4.0.2" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.0.3 Search vendor "Google" for product "Android" and version "4.0.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.0.4 Search vendor "Google" for product "Android" and version "4.0.4" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.1 Search vendor "Google" for product "Android" and version "4.1" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.1.2 Search vendor "Google" for product "Android" and version "4.1.2" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.2 Search vendor "Google" for product "Android" and version "4.2" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.2.1 Search vendor "Google" for product "Android" and version "4.2.1" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.2.2 Search vendor "Google" for product "Android" and version "4.2.2" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.3 Search vendor "Google" for product "Android" and version "4.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.3.1 Search vendor "Google" for product "Android" and version "4.3.1" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.4 Search vendor "Google" for product "Android" and version "4.4" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.4.1 Search vendor "Google" for product "Android" and version "4.4.1" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.4.2 Search vendor "Google" for product "Android" and version "4.4.2" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 4.4.3 Search vendor "Google" for product "Android" and version "4.4.3" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 5.0 Search vendor "Google" for product "Android" and version "5.0" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 5.0.1 Search vendor "Google" for product "Android" and version "5.0.1" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 5.0.2 Search vendor "Google" for product "Android" and version "5.0.2" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 5.1 Search vendor "Google" for product "Android" and version "5.1" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 5.1.0 Search vendor "Google" for product "Android" and version "5.1.0" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 5.1.1 Search vendor "Google" for product "Android" and version "5.1.1" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 6.0 Search vendor "Google" for product "Android" and version "6.0" | - |
Affected
| ||||||
| Google Search vendor "Google" | Android Search vendor "Google" for product "Android" | 6.0.1 Search vendor "Google" for product "Android" and version "6.0.1" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Server Migration Pack Search vendor "Hp" for product "Server Migration Pack" | <= 7.5 Search vendor "Hp" for product "Server Migration Pack" and version " <= 7.5" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.8 < 3.10.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.8 < 3.10.95" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.11 < 3.12.53 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.53" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 3.14.59 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.59" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.15 < 3.16.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 3.16.35" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.17 < 3.18.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.26" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.19 < 4.1.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.16" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 4.3.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.3.4" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.4 < 4.4.1 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.4 < 4.4.1" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | esm |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10" | - |
Affected
| ||||||