CVE-2016-8650

kernel: Null pointer dereference via keyctl

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through 4.8.11 does not ensure that memory is allocated for limb data, which allows local users to cause a denial of service (stack memory corruption and panic) via an add_key system call for an RSA key with a zero exponent.

La función mpi_powm en lib/mpi/mpi-pow.c en el kernel Linux hasta la versión 4.8.11 no se asegura que la memoria esté alojada para datos limb, lo que permite a usuarios locales provocar una denegación de servicio (corrupción de memoria de pila y pánico) a través de una llamada de sistema add_key para una llave RSA con un componente cero.

A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key.

It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service. It was discovered that the asynchronous I/O subsystem of the Linux kernel did not properly set permissions on aio memory mappings in some situations. An attacker could use this to more easily exploit other vulnerabilities. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-10-12 CVE Reserved
2016-11-28 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-399: Resource Management Errors
CWE-476: NULL Pointer Dereference

CAPEC

References (13)

URL	Tag	Source
http://seclists.org/fulldisclosure/2016/Nov/76	Mailing List
http://www.openwall.com/lists/oss-security/2016/11/24/8	Mailing List
http://www.securityfocus.com/bid/94532	Vdb Entry
http://www.securitytracker.com/id/1037968	Vdb Entry
https://source.android.com/security/bulletin/2017-03-01.html	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f5527fffff3f002b0a6b376163613b82f69de073	2023-02-12
https://github.com/torvalds/linux/commit/f5527fffff3f002b0a6b376163613b82f69de073	2023-02-12

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2017:0931	2023-02-12
https://access.redhat.com/errata/RHSA-2017:0932	2023-02-12
https://access.redhat.com/errata/RHSA-2017:0933	2023-02-12
https://access.redhat.com/errata/RHSA-2018:1854	2023-02-12
https://bugzilla.redhat.com/show_bug.cgi?id=1395187	2018-06-19
https://access.redhat.com/security/cve/CVE-2016-8650	2018-06-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.8.11 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.8.11"		-		Affected