CVE-2017-6074
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
6Exploited in Wild
-Decision
Descriptions
The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
La función dccp_rcv_state_process en net/dccp/input.c en el kernel de Linux hasta la versión 4.9.11 no maneja adecuadamente estructuras de paquetes de datos DCCP_PKT_REQUEST en el estado LISTEN, lo que permite a usuarios locales obtener privilegios root o provocar una denegación de servicio (liberación doble) a través de una aplicación que hace una llamada de sistema IPV6_RECVPKTINFO setsockopt.
A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Security Fix: A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol implementation freed SKB resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-02-17 CVE Reserved
- 2017-02-18 CVE Published
- 2017-02-27 First Exploit
- 2024-08-05 CVE Updated
- 2025-04-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-415: Double Free
- CWE-416: Use After Free
CAPEC
References (32)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2017/02/22/3 | Mailing List |
|
| http://www.securityfocus.com/bid/96310 | Third Party Advisory | |
| http://www.securitytracker.com/id/1037876 | Third Party Advisory | |
| https://source.android.com/security/bulletin/2017-07-01 | Third Party Advisory | |
| https://www.tenable.com/security/tns-2017-07 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/141339 | 2017-02-27 | |
| https://packetstorm.news/files/id/141331 | 2017-02-27 | |
| https://www.exploit-db.com/exploits/41457 | 2024-08-05 | |
| https://www.exploit-db.com/exploits/41458 | 2024-08-05 | |
| https://github.com/toanthang1842002/CVE-2017-6074 | 2023-07-15 | |
| https://github.com/BimsaraMalinda/Linux-Kernel-4.4.0-Ubuntu---DCCP-Double-Free-Privilege-Escalation-CVE-2017-6074 | 2020-05-12 |
| URL | Date | SRC |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html | 2023-02-10 | |
| https://github.com/torvalds/linux/commit/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 | 2023-02-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 3.2.86 Search vendor "Linux" for product "Linux Kernel" and version " < 3.2.86" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.3 < 3.10.106 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.106" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.11 < 3.12.71 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.71" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 3.16.41 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.16.41" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.17 < 3.18.49 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.49" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.19 < 4.1.41 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.1.41" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.2 < 4.4.52 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.2 < 4.4.52" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.5 < 4.9.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.9.13" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||