CVE-2016-7916

Kernel Live Patch Security Notice LSN-0021-1

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete.

La condición de carrera en la función environ_read en fs / proc / base.c en el kernel de Linux antes de 4.5.4 permite a usuarios locales obtener información sensible de la memoria del kernel leyendo un archivo / proc / * / environ durante un intervalo de tiempo de configuración del proceso cuya copia de variabilidad de entorno es incompleta.

Several security issues were fixed in the kernel. Andrey Konovalov discovered that the AF_PACKET implementation in the Linux kernel did not properly validate certain block-size data. A local attacker could use this to cause a denial of service (system crash). Andrey Konovalov discovered a use-after-free vulnerability in the DCCP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. Various other issues were also addressed.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-09-09 CVE Reserved
2016-11-16 CVE Published
2024-08-06 CVE Updated
2025-06-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (9)

URL	Tag	Source
http://source.android.com/security/bulletin/2016-11-01.html	Third Party Advisory
http://www.securityfocus.com/bid/94138	Third Party Advisory
https://bugzilla.kernel.org/show_bug.cgi?id=116461	Issue Tracking
https://forums.grsecurity.net/viewtopic.php?f=3&t=4363	Issue Tracking

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8148a73c9901a8794a50f950083c00ccf97d43b3	2017-01-18
https://github.com/torvalds/linux/commit/8148a73c9901a8794a50f950083c00ccf97d43b3	2017-01-18

URL	Date	SRC
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.4	2017-01-18
http://www.ubuntu.com/usn/USN-3159-1	2017-01-18
http://www.ubuntu.com/usn/USN-3159-2	2017-01-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.5.3 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.5.3"		-		Affected