CVE-2017-15649

Linux Kernel - 'AF_PACKET' Use-After-Free

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.

net/packet/af_packet.c en versiones anteriores a la 4.13.6 del kernel de Linux permite que usuarios locales obtengan privilegios mediante llamadas manipuladas al sistema que dan lugar a una gestión incorrecta de las estructuras de datos packet_fanout. Esto se debe a una condición de carrera (que afecta a fanout_add y packet_do_bind) que da lugar a un uso de memoria previamente liberada. Esta vulnerabilidad es diferente de CVE-2017-6346.

It was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.

An update that solves two vulnerabilities and has two fixes is now available. This update for the Linux Kernel 4.4.82-6_9 fixes several issues. The following security issues were fixed. Net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition that leads to a use-after-free, a different vulnerability than CVE-2017-6346 Non security issues fixed. Wi-Fi Protected Access allowed reinstallation of the Group Temporal Key during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-10-17 First Exploit
2017-10-19 CVE Reserved
2017-10-19 CVE Published
2024-08-05 CVE Updated
2025-07-01 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-416: Use After Free

CAPEC

References (17)

URL	Tag	Source
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=008ba2a13f2d04c947adc536d19debb8fe66f110	Third Party Advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4971613c1639d8e5f102c4e797c3bf8f83a5a69e	Third Party Advisory
http://patchwork.ozlabs.org/patch/813945	Issue Tracking
http://patchwork.ozlabs.org/patch/818726	Third Party Advisory
http://www.securityfocus.com/bid/101573	Third Party Advisory
https://blogs.securiteam.com/index.php/archives/3484	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html	Mailing List

URL	Date	SRC
https://www.exploit-db.com/exploits/44053	2017-10-17
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.6	2024-08-05

URL	Date	SRC
https://github.com/torvalds/linux/commit/008ba2a13f2d04c947adc536d19debb8fe66f110	2018-08-24
https://github.com/torvalds/linux/commit/4971613c1639d8e5f102c4e797c3bf8f83a5a69e	2018-08-24

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:0151	2018-08-24
https://access.redhat.com/errata/RHSA-2018:0152	2018-08-24
https://access.redhat.com/errata/RHSA-2018:0181	2018-08-24
https://usn.ubuntu.com/3754-1	2018-08-24
https://access.redhat.com/security/cve/CVE-2017-15649	2018-01-25
https://bugzilla.redhat.com/show_bug.cgi?id=1504574	2018-01-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.13.5 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.13.5"		-		Affected