Fedora 24 update for kernel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2016-6136 CVE-2016-5400 |
| CWE-ID | CWE-362 CWE-401 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system kernel Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Race condition
EUVDB-ID: #VU358
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-6136
Exploit availability: No
DescriptionThe vulnerability allows local users to interrupt system-call auditing.
The vulnerability exists due to parafunction of audit_log_single_execve_arg. By altering "double fetch" vulnerability, a local user can bypass set limitations and interrupt system-call auditing.
Successful exploitation of this vulnerability will allow an attacker to interrupt system-call auditing and perform a race condition.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 24
kernel: before 4.6.5-300.fc24
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-2016-30e3636e79
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory leak in Airspy USB device driver
EUVDB-ID: #VU217
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5400
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to consume excessive memory and cause denial of service on the target system.
The vulnerability exists due to a resource error in Airspy USB device driver. A local user can cause a memory leak and consume all available memory resources by creating a specially crafted USB device to emulate multiple SDR devices.
Successful exploitation of this vulnerability may result in denial of service.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 24
kernel: before 4.6.5-300.fc24
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-2016-30e3636e79
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
