// For flags

CVE-2016-0758

kernel: tags with indefinite length can corrupt pointers in asn1_find_indefinite_length()

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Integer overflow in lib/asn1_decoder.c in the Linux kernel before 4.6 allows local users to gain privileges via crafted ASN.1 data.

Desbordamiento de entero en lib/asn1_decoder.c en el kernel de Linux en versiones anteriores a 4.6 permite a usuarios locales obtener privilegios a través de datos ASN.1 manipulados.

A flaw was found in the way the Linux kernel's ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 certificate DER file to crash the system or, potentially, escalate their privileges on the system.

David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host, expose sensitive information from the host, or possibly gain administrative privileges in the host. Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Various other issues were also addressed.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-12-16 CVE Reserved
  • 2016-05-12 CVE Published
  • 2024-08-05 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CAPEC
References (34)
URL Tag Source
http://source.android.com/security/bulletin/2016-10-01.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/05/12/9 Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html Third Party Advisory
http://www.securityfocus.com/bid/90626 Third Party Advisory
https://github.com/torvalds/linux/commit/23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00003.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00008.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00009.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00014.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00015.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00016.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00017.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00018.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00019.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00020.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00021.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00022.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00023.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00026.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html 2023-02-12
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html 2023-02-12
http://rhn.redhat.com/errata/RHSA-2016-1033.html 2023-02-12
http://rhn.redhat.com/errata/RHSA-2016-1051.html 2023-02-12
http://rhn.redhat.com/errata/RHSA-2016-1055.html 2023-02-12
http://www.ubuntu.com/usn/USN-2979-4 2023-02-12
https://bugzilla.redhat.com/show_bug.cgi?id=1300257 2016-05-12
https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158555 2023-02-12
https://access.redhat.com/security/cve/CVE-2016-0758 2016-05-12
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
 Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Hpc Node
Search vendor "Redhat" for product "Enterprise Linux Hpc Node"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Hpc Node" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Hpc Node Eus
Search vendor "Redhat" for product "Enterprise Linux Hpc Node Eus"
 7.2
Search vendor "Redhat" for product "Enterprise Linux Hpc Node Eus" and version "7.2"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
 7.2
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.2"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server Eus
Search vendor "Redhat" for product "Enterprise Linux Server Eus"
 7.2
Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.2"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.7 < 3.12.60
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 3.12.60"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.13 < 3.16.36
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.16.36"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.17 < 3.18.54
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.54"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.19 < 4.4.21
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.4.21"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
esm
Affected