#VU95591 Improper input validation in Linux kernel - CVE-2006-0557

Cybersecurity Help s.r.o.

Published: 2006-03-12 | Updated: 2018-10-03

Vulnerability identifier: #VU95591

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2006-0557

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not sanity check the maxnod variable before making certain computations for the get_nodes function, which has unknown impact and attack vectors.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

External links
https://lkml.org/lkml/2006/2/27/355
https://rhn.redhat.com/errata/RHBA-2007-0304.html
https://secunia.com/advisories/19955
https://secunia.com/advisories/20398
https://secunia.com/advisories/20914
https://securitytracker.com/id?1015752
https://www.debian.org/security/2006/dsa-1103
https://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=636f13c174dd7c84a437d3c3e8fa66f03f7fda63
https://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=636f13c174dd7c84a437d3c3e8fa66f03f7fda63
https://www.mandriva.com/security/advisories?name=MDKSA-2006:059
https://www.novell.com/linux/security/advisories/2006-05-31.html
https://www.osvdb.org/23895
https://www.securityfocus.com/bid/16924
https://www.vupen.com/english/advisories/2006/2554
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184510
https://exchange.xforce.ibmcloud.com/vulnerabilities/25204
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9674
https://usn.ubuntu.com/281-1/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper input validation in Linux kernel