Stack-based buffer overflow in Linux kernel

#VU1255 Stack-based buffer overflow in Linux kernel

Published: 2016-12-10 | Updated: 2020-05-30

Vulnerability identifier: #VU1255

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2016-8399

CWE-ID: CWE-121

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to cause kernel panic or escalate privileges.

The vulnerability exists due to a boundary error when crating an ICMP header. A local user can create a very short ICMP header and execute arbitrary code within the contest of the kernel.

Successful exploitation of the vulnerability may allow a local user to escalate privileges on the system.

Mitigation
Update to version 4.8.14 or 4.4.38.

Vulnerable software versions

Linux kernel: 4.1.1 - 4.8.13

CPE

cpe:2.3:o:linux_foundation:linux_kernel:4.8.13:*:*:*:*:*:*:*

External links
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.14
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.38
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.37

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Red Hat update for kernel-rt

Red Hat update for kernel

Two vulnerabilities in Linux kernel