// For flags

CVE-2016-10088

kernel: Use after free in SCSI generic device interface (CVE-2016-9576 regression)

Severity Score

7.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.

La implementación sg en el kernel Linux hasta la versión 4.9 no restringe correctamente operaciones de escritura en situaciones donde la opción KERNEL_DS está activa, lo que permite a usuarios locales leer o escribir a ubicacioes arbitrarias de memoria de kernel o provocar una denegación de servicio (uso despues de liberación) aprovechando el acceso al dispositivo /dev/sg, relacionado con block/bsg.c y drivers/scsi/sg.c. NOTA: esta vulnerabilidad existe debido a una reparación incompleta de CVE-2016-9576.

It was found that the fix for CVE-2016-9576 was incomplete: the Linux kernel's sg implementation did not properly restrict write operations in situations where the KERNEL_DS option is set. A local attacker to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging write access to a /dev/sg device.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-12-30 CVE Reserved
  • 2016-12-30 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-416: Use After Free
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 3.10.107
Search vendor "Linux" for product "Linux Kernel" and version " < 3.10.107"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.11 < 3.12.70
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.70"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.13 < 3.16.40
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.16.40"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.17 < 3.18.47
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.47"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.19 < 4.1.38
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.38"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.2 < 4.4.41
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.4.41"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.5 < 4.8.17
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.8.17"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.9 < 4.9.2
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 4.9.2"
-
Affected