// For flags

CVE-2016-4565

kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface.

La memoria de pila InfiniBand (también conocida como IB) en el kernel de Linux en versiones anteriores a 4.5.3 confía incorrectamente en llamadas al sistema de escritura, lo que permite a usuarios locales provocar una denegación de servicio (operación de escritura en la memoria del kernel) o posiblemente tener otro impacto no especificado a través de una interfaz uAPI.

A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: A flaw was found in the Linux kernel's keyring handling code, where in key_reject_and_link() an uninitialised variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-05-07 CVE Reserved
  • 2016-05-23 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-05-18 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (54)
URL Tag Source
http://www.openwall.com/lists/oss-security/2016/05/07/1 Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html Third Party Advisory
http://www.securityfocus.com/bid/90301 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00003.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00008.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00009.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00014.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00015.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00016.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00017.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00018.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00019.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00020.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00021.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00022.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00023.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00026.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html 2023-01-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html 2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1489.html 2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1581.html 2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1617.html 2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1640.html 2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1657.html 2023-01-17
http://rhn.redhat.com/errata/RHSA-2016-1814.html 2023-01-17
http://www.debian.org/security/2016/dsa-3607 2023-01-17
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.3 2023-01-17
http://www.ubuntu.com/usn/USN-3001-1 2023-01-17
http://www.ubuntu.com/usn/USN-3002-1 2023-01-17
http://www.ubuntu.com/usn/USN-3003-1 2023-01-17
http://www.ubuntu.com/usn/USN-3004-1 2023-01-17
http://www.ubuntu.com/usn/USN-3005-1 2023-01-17
http://www.ubuntu.com/usn/USN-3006-1 2023-01-17
http://www.ubuntu.com/usn/USN-3007-1 2023-01-17
http://www.ubuntu.com/usn/USN-3018-1 2023-01-17
http://www.ubuntu.com/usn/USN-3018-2 2023-01-17
http://www.ubuntu.com/usn/USN-3019-1 2023-01-17
http://www.ubuntu.com/usn/USN-3021-1 2023-01-17
http://www.ubuntu.com/usn/USN-3021-2 2023-01-17
https://access.redhat.com/errata/RHSA-2016:1277 2023-01-17
https://access.redhat.com/errata/RHSA-2016:1301 2023-01-17
https://access.redhat.com/errata/RHSA-2016:1341 2023-01-17
https://access.redhat.com/errata/RHSA-2016:1406 2023-01-17
https://bugzilla.redhat.com/show_bug.cgi?id=1310570 2016-09-06
https://github.com/torvalds/linux/commit/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 2023-01-17
https://access.redhat.com/security/cve/CVE-2016-4565 2016-09-06
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 3.2.81
Search vendor "Linux" for product "Linux Kernel" and version " < 3.2.81"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.3 < 3.10.103
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.103"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.11 < 3.12.61
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.61"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.13 < 3.14.76
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.76"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.15 < 3.16.36
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 3.16.36"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.17 < 3.18.34
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.34"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.19 < 4.1.25
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.25"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.2 < 4.4.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.4.9"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.5 < 4.5.3
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.5.3"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 12.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
esm
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 15.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
esm
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected