CVE-2016-7425

Ubuntu Security Notice USN-3161-4

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.

La función arcmsr_iop_message_xfer en drivers/scsi/arcmsr/arcmsr_hba.c en el kernel de Linux hasta la versión 4.8.2 no restringe una cierta longitud de campo, lo que permite a usuarios locales obtener privilegios o provocar una denegación de servicio (desbordamiento de búfer basado en memoria dinámica) a través de un código de control ARCMSR_MESSAGE_WRITE_WQBUFFER.

Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash). Dmitry Vyukov discovered a use-after-free vulnerability during error processing in the recvmmsg(2) implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other kernel vulnerabilities were also discovered and addressed.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-09-09 CVE Reserved
2016-10-16 CVE Published
2024-08-06 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (15)

URL	Tag	Source
http://marc.info/?l=linux-scsi&m=147394796228991&w=2	Mailing List
http://www.openwall.com/lists/oss-security/2016/09/17/2	Mailing List
http://www.securityfocus.com/bid/93037	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1377330	Issue Tracking
https://security-tracker.debian.org/tracker/CVE-2016-7425	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7bc2b55a5c030685b399bb65b6baa9ccc3d1f167	2023-01-17
http://marc.info/?l=linux-scsi&m=147394713328707&w=2	2023-01-17
https://github.com/torvalds/linux/commit/7bc2b55a5c030685b399bb65b6baa9ccc3d1f167	2023-01-17

URL	Date	SRC
http://www.ubuntu.com/usn/USN-3144-1	2023-01-17
http://www.ubuntu.com/usn/USN-3144-2	2023-01-17
http://www.ubuntu.com/usn/USN-3145-1	2023-01-17
http://www.ubuntu.com/usn/USN-3145-2	2023-01-17
http://www.ubuntu.com/usn/USN-3146-1	2023-01-17
http://www.ubuntu.com/usn/USN-3146-2	2023-01-17
http://www.ubuntu.com/usn/USN-3147-1	2023-01-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.2 < 3.2.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 3.2.84"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.3 < 3.10.105 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.105"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.11 < 3.12.67 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.67"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 3.16.39 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.16.39"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.17 < 3.18.46 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.46"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 4.1.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.37"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.2 < 4.4.27 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.4.27"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.5 < 4.7.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.7.10"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 4.8.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 4.8.4"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.10"		-		Affected