Denial of service in Linux Kernel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-17052 CVE-2018-10675 |
| CWE-ID | CWE-416 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Linux kernel Operating systems & Components / Operating system |
| Vendor | Linux Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Use-after-free error
EUVDB-ID: #VU12108
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-17052
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the mm_init function in kernel/fork.c due to improper clarification of the ->exe_file member of a new process's mm_struct. A local attacker can trigger use after free error and cause the service to crash.
Update to version 4.12.10.
Vulnerable software versionsLinux kernel: 4.12 - 4.12.9
CPE2.3- cpe:2.3:o:linux_foundation:linux_kernel:4.12:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.12.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.12.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.12.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.12.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.12.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.12.6:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.12.7:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.12.8:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.12.9:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free error
EUVDB-ID: #VU13023
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-10675
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe weakness exists in the do_get_mempolicy function in mm/mempolicy.c due to use-after-free error. A local attacker can use specially crafted system calls, trigger memory corruption and cause the service to crash.
Mitigation
Update to version 4.12.9.
Vulnerable software versionsLinux kernel: 4.10 - 4.12.8
CPE2.3- cpe:2.3:o:linux_foundation:linux_kernel:4.10:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.4:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.5:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.6:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.7:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:4.10.8:*:*:*:*:*:*:*
https://github.com/torvalds/linux/commit/73223e4e2e3867ebf033a5a8eb2e5df0158ccc99
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
