// For flags

CVE-2017-15274

kernel: dereferencing NULL payload with nonzero length

Severity Score

5.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.

security/keys/keyctl.c en el kernel de Linux en versiones anteriores a la 4.11.5 no tiene en cuenta el caso de una carga útil NULL junto con un valor de longitud que no sea cero, lo que permite a usuarios locales provocar una denegación de servicio (desreferencia de puntero NULL and OOPS) mediante una llamada de sistema add_key o keyctl manipulada. Esta es una vulnerabilidad diferente a CVE-2017-12192.

A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops).

An update that solves four vulnerabilities and has one errata is now available. This update for the Linux Kernel 3.12.74-60_64_60 fixes several issues. The following security bugs were fixed. Security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call. Updated patch for this issue to be in sync with the other livepatches. Description of the issue: Prevent race condition in net-packet code that could have been exploited by unprivileged users to gain root access. The __ip6_append_data function in net/ipv6/ip6_output.c was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service via crafted system calls. The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c allowed attackers to cause a denial of service or possibly have unspecified other impact by leveraging use of the accept system call.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-10-11 CVE Reserved
  • 2017-10-12 CVE Published
  • 2024-08-05 CVE Updated
  • 2025-06-21 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-476: NULL Pointer Dereference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
<= 4.11.4
Search vendor "Linux" for product "Linux Kernel" and version " <= 4.11.4"
-
Affected