CVE-2016-6197
kernel: overlayfs: missing upper dentry verification before unlink and rename
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
fs/overlayfs/dir.c in the OverlayFS filesystem implementation in the Linux kernel before 4.6 does not properly verify the upper dentry before proceeding with unlink and rename system-call processing, which allows local users to cause a denial of service (system crash) via a rename system call that specifies a self-hardlink.
fs/overlayfs/dir.c en la implementación del sistema de archivos OverlayFS en el kernel de Linux en versiones anteriores a 4.6 no verifica adecuadamente la dentry superior antes de proceder con el procesamiento de desconexión y cambio de nombre de llamadas al sistema, lo que permite a usuarios locales provocar una denegación del servicio (caída de sistema) a través de una llamada al sistema cambiada de nombre que especifica un self-hardlink.
It was found that the unlink and rename functionality in overlayfs did not verify the upper dentry for staleness. A local, unprivileged user could use the rename syscall on overlayfs on top of xfs to panic or crash the system.
A missing permission check when settings ACLs was discovered in nfsd. A local user could exploit this flaw to gain access to any file by setting an ACL. Kangjie Lu discovered an information leak in the Reliable Datagram Sockets implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-07-11 CVE Reserved
- 2016-08-06 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/07/11/8 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html | Third Party Advisory |
|
| http://www.securityfocus.com/bid/91709 | Vdb Entry | |
| http://www.securitytracker.com/id/1036273 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-1847.html | 2019-12-27 | |
| http://rhn.redhat.com/errata/RHSA-2016-1875.html | 2019-12-27 | |
| http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html | 2019-12-27 | |
| http://www.ubuntu.com/usn/USN-3070-1 | 2019-12-27 | |
| http://www.ubuntu.com/usn/USN-3070-2 | 2019-12-27 | |
| http://www.ubuntu.com/usn/USN-3070-3 | 2019-12-27 | |
| http://www.ubuntu.com/usn/USN-3070-4 | 2019-12-27 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1355650 | 2016-09-15 | |
| https://access.redhat.com/security/cve/CVE-2016-6197 | 2016-09-15 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oracle Search vendor "Oracle" | Linux Search vendor "Oracle" for product "Linux" | 6 Search vendor "Oracle" for product "Linux" and version "6" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | <= 4.5.7 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.5.7" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Vm Server Search vendor "Oracle" for product "Vm Server" | 3.4 Search vendor "Oracle" for product "Vm Server" and version "3.4" | - |
Affected
| ||||||