Main Vulnerability Database Vulnerabilities #VU90827

Use-after-free in Linux kernel - CVE-2015-8963

Published: November 16, 2016 / Updated: December 14, 2023

Vulnerability identifier: #VU90827

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2015-8963

CWE-ID: CWE-416

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Linux Foundation

Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to a use-after-free error within the DEFINE_PER_CPU(), perf_swevent_add(), swevent_hlist_get_cpu(), perf_event_init_cpu() and perf_event_exit_cpu_context() functions in kernel/events/core.c. A local non-authenticated attacker can execute arbitrary code.

How to mitigate CVE-2015-8963

Install update from vendor's website.

Sources

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=12ca6ad2e3a896256f086497a7c7406a547ee373
https://github.com/torvalds/linux/commit/12ca6ad2e3a896256f086497a7c7406a547ee373
http://source.android.com/security/bulletin/2016-11-01.html
http://www.securityfocus.com/bid/94207

Use-after-free in Linux kernel - CVE-2015-8963

Detailed vulnerability description

How to mitigate CVE-2015-8963

Sources

Please verify you're human