CVE-2017-16995

Linux - BPF Sign Extension Local Privilege Escalation

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.

La función check_alu_op en kernel/bpf/verifier.c en el kernel de Linux, hasta la versión 4.4, permite que los usuarios locales provoquen una denegación de servicio (corrupción de memoria) o, posiblemente, causen otros impactos no especificados aprovechando una extensión de señal incorrecta

Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. Jann Horn discovered that the Berkeley Packet Filter implementation in the Linux kernel did not properly check the relationship between pointer values and the BPF stack. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Various other issues were also addressed.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-11-27 CVE Reserved
2017-12-22 CVE Published
2018-03-16 First Exploit
2024-08-05 CVE Updated
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (30)

URL	Tag	Source
http://openwall.com/lists/oss-security/2017/12/21/2	Mailing List
http://www.securityfocus.com/bid/102288	Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1454	Third Party Advisory
https://github.com/torvalds/linux/commit/95a762e2c8c942780948091f8f2a4f32fce1ac6f	Third Party Advisory

URL	Date	SRC
https://packetstorm.news/files/id/148517	2018-07-12
https://packetstorm.news/files/id/146823	2018-03-16
https://packetstorm.news/files/id/148607	2018-07-19
https://www.exploit-db.com/exploits/45058	2024-08-05
https://www.exploit-db.com/exploits/45010	2024-08-05
https://www.exploit-db.com/exploits/44298	2024-08-05
https://github.com/Al1ex/CVE-2017-16995	2021-09-08
https://github.com/C0dak/CVE-2017-16995	2018-03-19
https://github.com/gugronnier/CVE-2017-16995	2018-12-05
https://github.com/ph4ntonn/CVE-2017-16995	2021-01-28
https://github.com/anldori/CVE-2017-16995	2023-01-09
https://github.com/vnik5287/CVE-2017-16995	2019-07-23
https://github.com/fei9747/CVE-2017-16995	2021-09-08
https://github.com/littlebin404/CVE-2017-16995	2019-08-14
https://github.com/Lumindu/CVE-2017-16995-Linux-Kernel---BPF-Sign-Extension-Local-Privilege-Escalation-	2020-05-12
https://github.com/senyuuri/cve-2017-16995	2022-03-28
https://github.com/ivilpez/cve-2017-16995.c	2022-11-26
https://github.com/mareks1007/cve-2017-16995	2023-12-13
https://github.com/ZhiQiAnSecFork/cve-2017-16995	2023-12-15

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f	2023-01-19
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=a6132276ab5dcc38b3299082efeb25b948263adb	2023-01-19
https://usn.ubuntu.com/3619-1	2023-01-19
https://usn.ubuntu.com/3619-2	2023-01-19
https://usn.ubuntu.com/3633-1	2023-01-19
https://usn.ubuntu.com/usn/usn-3523-2	2023-01-19
https://www.debian.org/security/2017/dsa-4073	2023-01-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 4.9.72 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 4.9.72"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 4.14.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.14.9"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected