// For flags

CVE-2016-9555

kernel: Slab out-of-bounds access in sctp_sf_ootb()

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.

La función sctp_sf_ootb en net/sctp/sm_statefuns.c en el kernel Linux en versiones anteriores a 4.8.8 carece de comprobación de longitud de fragmento para el primer fragmento, lo que permite a atacantes remotos provocar una denegación de servicio (acceso slab fuera de límites) o tener otro posible impacto no especificado a través de datos SCTP manipulados.

A flaw was found in the Linux kernel's implementation of the SCTP protocol. A remote attacker could trigger an out-of-bounds read with an offset of up to 64kB potentially causing the system to crash.

An update that fixes three vulnerabilities is now available. This update for the Linux Kernel 3.12.51-52_39 fixes several issues. The following security bugs were fixed. A race condition in the af_packet packet_set_ring function could be used by local attackers to crash the kernel or gain privileges. The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacks chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data. Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-11-22 CVE Reserved
  • 2016-11-28 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-05-03 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-125: Out-of-bounds Read
CAPEC
References (24)
URL Tag Source
http://www.openwall.com/lists/oss-security/2016/11/22/18 Mailing List
http://www.securityfocus.com/bid/94479 Third Party Advisory
http://www.securitytracker.com/id/1037339 Third Party Advisory
https://bto.bluecoat.com/security-advisory/sa134 Third Party Advisory
https://groups.google.com/forum/#%21topic/syzkaller/pAUcHsUJbjk X_refsource_confirm
URL Date SRC
URL Date SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 2023-11-07
https://github.com/torvalds/linux/commit/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 2023-11-07
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00044.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00054.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00055.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00056.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00067.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00070.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00073.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00076.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00077.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00087.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0086.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0091.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0113.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0307.html 2023-11-07
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.8 2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=1397930 2017-02-23
https://access.redhat.com/security/cve/CVE-2016-9555 2017-02-23
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.2 < 3.2.85
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 3.2.85"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.3 < 3.10.105
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.105"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.11 < 3.12.68
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.68"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.13 < 3.16.40
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.16.40"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.17 < 3.18.49
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.49"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 3.19 < 4.4.32
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.4.32"
-
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 4.5.0 < 4.8.8
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5.0 < 4.8.8"
-
Affected