CVE-2017-6214

kernel: ipv4/tcp: Infinite loop in tcp_splice_read()

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.

La función tcp_splice_read en net/ipv4/tcp.c en el kernel de Linux en versiones anteriores a 4.9.11 permite a atacantes remotos provocar una denegación de servicio (bucle infinito y bloqueo débil) a través de vectores que involucran un paquete TCP con la bandera URG.

A flaw was found in the Linux kernel's handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality could allow a remote attacker to force the kernel to enter a condition in which it could loop indefinitely.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix: A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-02-23 CVE Reserved
2017-02-23 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (13)

URL	Tag	Source
http://www.securityfocus.com/bid/96421	Vdb Entry
http://www.securitytracker.com/id/1037897	Vdb Entry
https://source.android.com/security/bulletin/2017-09-01	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82	2019-10-03
https://github.com/torvalds/linux/commit/ccf7abb93af09ad0868ae9033d1ca8108bdaec82	2019-10-03

URL	Date	SRC
http://www.debian.org/security/2017/dsa-3804	2019-10-03
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11	2019-10-03
https://access.redhat.com/errata/RHSA-2017:1372	2019-10-03
https://access.redhat.com/errata/RHSA-2017:1615	2019-10-03
https://access.redhat.com/errata/RHSA-2017:1616	2019-10-03
https://access.redhat.com/errata/RHSA-2017:1647	2019-10-03
https://access.redhat.com/security/cve/CVE-2017-6214	2017-06-28
https://bugzilla.redhat.com/show_bug.cgi?id=1426542	2017-06-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.9.10 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.9.10"		-		Affected