-
CVE-2017-7184
Local privilege escalation in XFRM framework.
It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data received from user space. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7184.html
-
CVE-2017-2647
Null pointer dereference in search_keyring().
A flaw was discovered in the Linux kernel's key subsystem. Calling request_key() system call with the specially crafted set of arguments may result in a NULL-pointer dereference inside search_keyring() function. A local unprivileged user can use this vulnerability to crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647
-
CVE-2017-6214
ipv4/tcp: Infinite loop in tcp_splice_read().
The tcp_splice_read function in net/ipv4/tcp.c allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6214
-
PSBM-57512
A privileged user inside a container can cause a host kernel crash in udp_lib_get_port().
A privileged user inside a container can cause a host kernel crash in udp_lib_get_port().
-
PSBM-59964
Broken isolation for some of 'ip ntable' settings.
Broken isolation for some of "ip ntable" settings.
-
CVE-2017-6074
Use after free in the implementation of DCCP protocol.
A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6074
-
PSBM-57511
General protection fault in sendmsg() -> netlink_sendmsg() -> netlink_unicast().
General protection fault in sendmsg() -> netlink_sendmsg() -> netlink_unicast().
-
PSBM-57499
NULL pointer dereference in write() -> netlink_sendmsg() -> netlink_unicast().
NULL pointer dereference in write() -> netlink_sendmsg() -> netlink_unicast().
-
PSBM-59983
iptables: forwarding does not work with '--netfilter full'.
iptables: forwarding does not work with '--netfilter full'.
-
CVE-2017-2584
kvm: use after free in complete_emulated_mmio.
Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support is vulnerable to a use after free flaw. It could occur on x86 platform, when emulating instructions fxsave, fxrstor, sgdt, etc. A user/process could use this flaw to crash the host kernel resulting in DoS.
https://bugzilla.redhat.com/show_bug.cgi?id=1413001
-
CVE-2017-2583
kvm: vmx/svm potential privilege escalation inside guest.
Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to an incorrect segment selector (SS) value error. The error could occur while loading values into the SS register in long mode. A user/process inside guest could use this flaw to crash the guest resulting in DoS or potentially escalate their privileges inside guest.
https://bugzilla.redhat.com/show_bug.cgi?id=1414735
-
PSBM-54244
ip6tables: NULL pointer dereference in ip6t_unregister_table().
-
PSBM-57460
Potential deadlock in fuse_invalidate_files()
-
PSBM-57915
fs/fadvise: a way was needed to deactivate pages after cached reads.
Support for FADV_DEACTIVATE flag (fs/fadvise) was added to the kernel to address this.
-
CVE-2015-8539
Keys: general protection fault in trusted_update().
A flaw was found in the handling of negatively instantiated keys in the Linux kernel. A local unprivileged user can use this vulnerability to crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8539
-
PSBM-57010
Fuse: potential lockup in fuse_wait_on_page_writeback().
Fuse: potential lockup in fuse_wait_on_page_writeback().
-
PSBM-56703
User-triggerable WARN_ON() in the page allocator.
It was found that a user may trigger WARN_ON() in page allocator by requesting too many groups.
-
PSBM-56606
Lockdep: suspicious rcu_dereference_protected() usage in af_netlink.c.
Lockdep: suspicious rcu_dereference_protected() usage in af_netlink.c.
-
PSBM-55919
Fuse: performance problems in the implementation of fsync/fdatasync.
1. There is no need for mtime flush on fdatasync(). 2. Excessive locking in fuse_fsync().
-
PSBM-56474
Fuse: lockup in invalidate_inode_pages2_range().
Fuse: lockup in invalidate_inode_pages2_range().
-
PSBM-56609
Out-of-bounds memory read in keyring_compare_object().
A problem was found in the implementation of assoc_array that may cause an out-of-bounds read access in keyring_compare_object().
-
PSBM-56839
Some operations with btrfs subvolumes may consume all kernel memory.
An unprivileged user with the read-write access to more than one btrfs subvolume may easily consume all kernel memory (eventually triggering oom-killer).
-
CVE-2016-9806
Potential double free in netlink_dump().
A double free vulnerability was found in netlink_dump(), which could cause a denial of service or possibly other unspecified impact.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9806
-
CVE-2016-8645
A BUG() statement can be hit in net/ipv4/tcp_input.c.
It was discovered that the Linux kernel since 3.6-rc1 with net.ipv4.tcp_fastopen set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8645
-
CVE-2016-8655
Race condition in net/packet/af_packet.c which leads to a use-after-free.
A race-condition was found in net/packet/af_packet.c. It can be exploited to gain kernel code execution from unprivileged processes.
http://seclists.org/oss-sec/2016/q4/607
-
CVE-2016-9555
Slab out-of-bounds access in sctp_sf_ootb().
A bug was found in the Linux kernel sctp implementation which allows a remote attacker to trigger a slab-out-of-bounds access with an offset up to 64K bytes and cause a system crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9555
-
CVE-2016-0723
Kernel memory disclosure and crash in tty layer.
A use-after-free flaw was discovered in the Linux kernel's tty subsystem, which allows for the disclosure of uncontrolled memory location and possible kernel panic. The information leak is caused by a race condition when attempting to set and read the tty line discipline. A local attacker could use the TIOCSETD (via tty_set_ldisc) to switch to a new line discipline; a concurrent call to a TIOCGETD ioctl performing a read on a given tty could then access previously allocated memory. Up to 4 bytes could be leaked when querying the line discipline or the kernel could panic with a NULL-pointer dereference.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0723
-
CVE-2016-8650
Null pointer dereference via keyctl.
A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8650
-
CVE-2016-7911
block: fix use-after-free in sys_ioprio_get().
Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.
https://source.android.com/security/bulletin/2016-11-01.html
-
CVE-2016-7910
block: fix use-after-free in seq file.
Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.
https://source.android.com/security/bulletin/2016-11-01.html
-
CVE-2016-2053
Kernel panic and system lockup by triggering BUG_ON() in public_key_verify_signature()
A syntax vulnerability was discovered in the kernel's ASN1.1 DER decoder, which could lead to memory corruption or a complete local denial of service through x509 certificate DER files. A local system user could use a specially created key file to trigger BUG_ON() in the public_key_verify_signature() function (crypto/asymmetric_keys/public_key.c), to cause a kernel panic and crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2053
-
CVE-2016-8630
kvm: x86: NULL pointer dereference during instruction decode.
An error was found in the x86 instruction decoder in KVM that may result in the kernel crash on the host. Trying to process some invalid instructions may trigger a NULL pointer dereference.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8630
-
CVE-2016-7097
Setting a POSIX ACL via setxattr doesn't clear the setgid bit.
When file permissions are modified via chmod and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7097
-
PSBM-54126
Out of bounds access in sctp_add_bind_addr.
It was found that sctp_add_bind_addr() may read more bytes than expected in case the parameter is a IPv4 address supplied by the user. The kernel might crash as a result.
https://groups.google.com/forum/#!msg/syzkaller/BhOYz2ZBraw/-k3iDvD8BAAJ
-
CVE-2016-5195
mm: privilege escalation via MAP_PRIVATE COW breakage.
A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5195
-
PSBM-52390
virtio-net: tx stall due to failed allocations of large skbs.
virtio-net: tx stall due to failed allocations of large skbs.
-
CVE-2016-3070
Null pointer dereference in trace_writeback_dirty_page().
An attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3070
-
CVE-2016-6828
Use after free in tcp_xmit_retransmit_queue.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6828
-
CVE-2016-6136
audit: Race condition vulnerability in execve argv arguments.
Race condition in the audit_log_single_execve_arg function in the Linux kernel allows local users to bypass intended character-set restrictions or disrupt audit of the system calls.
Patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6136