Local denial of service in Linux kernel

Published: 2017-02-19
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-6074
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Linux kernel
Operating systems & Components / Operating system

Vendor Linux Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Resource management error


Risk: Low


CVE-ID: CVE-2017-6074

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: Yes


The vulnerability allows a local user to cause kernel panic.

The vulnerability exists due to invalid free in the dccp_rcv_state_process() function in net/dccp/input.c file in the Linux kernel through 4.9.11 when processing DCCP_PKT_REQUEST packet data structures in the LISTEN state. A local user can use userspace application to make an IPV6_RECVPKTINFO setsockopt system call and cause kernel panic.

Successful exploitation of this vulnerability may result in denial of service condition.


Install patch from GIT repository.

Vulnerable software versions

Linux kernel: 4.1.1 - 4.9.11

CPE2.3 External links


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?