-
PSBM-64734
Use after free in __sctp_connect().
A vulnerability was found in the implementation of SCTP protocol in the Linux kernel. If sctp module is loaded on the host, a privileged user inside a container could cause a kernel crash by triggering use after free in __sctp_connect() function with a specially crafted sequence of system calls.
-
CVE-2017-5970
ipv4: Invalid IP options could cause skb->dst drop.
A vulnerability was found in the Linux kernel where having malicious IP options present would cause the ipv4_pktinfo_prepare() function to drop/free the dst. This could result in a system crash or possible privilege escalation.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5970
-
CVE-2017-6353
Possible double free in stcp_sendmsg().
net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6353
-
CVE-2017-5986
Kernel crash in sctp_wait_for_sndbuf().
Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5986
-
CVE-2017-7472
Memory leak in keyctl_set_reqkey_keyring().
A vulnerability was found in the Linux kernel. keyctl_set_reqkey_keyring() function leaks thread keyring which allows an unprivileged local user to exhaust kernel memory.
https://bugzilla.redhat.com/show_bug.cgi?id=1442086
-
PSBM-56705
Kernel crash in proc_flush_task() triggerable by wait4() syscall.
A vulnerability was discovered in the handling of pid namespaces in the kernel. A privileged user inside a container may trigger a kernel crash (NULL pointer dereference in proc_flush_task()) using a sequence of system calls including wait4().
-
PSBM-44587
Kernel crash in synchronize_mapping_faults_vma() when pfcache is active.
Kernel crash in synchronize_mapping_faults_vma() when pfcache is active.
-
PSBM-52369
Kernel crash in cgroup_show_path() while running rkt in a container.
Kernel crash in cgroup_show_path() while running rkt in a container.
-
PSBM-63197
L1 VZ7 guest: kernel crash due to a race between attach and invalidate page.
L1 VZ7 guest: kernel crash due to a race between attach and invalidate page.
-
CVE-2017-2636
Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release().
A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2636
-
CVE-2017-7308
Integer overflows in packet_set_ring().
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308
-
CVE-2017-7184
Local privilege escalation in XFRM framework.
It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data received from user space. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7184.html
-
CVE-2017-2647
Null pointer dereference in search_keyring().
A flaw was discovered in the Linux kernel's key subsystem. Calling request_key() system call with the specially crafted set of arguments may result in a NULL-pointer dereference inside search_keyring() function. A local unprivileged user can use this vulnerability to crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647
-
CVE-2017-6214
ipv4/tcp: Infinite loop in tcp_splice_read().
The tcp_splice_read function in net/ipv4/tcp.c allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6214
-
PSBM-57512
A privileged user inside a container can cause a host kernel crash in udp_lib_get_port().
A privileged user inside a container can cause a host kernel crash in udp_lib_get_port().
-
PSBM-59964
Broken isolation for some of 'ip ntable' settings.
Broken isolation for some of "ip ntable" settings.
-
CVE-2017-6074
Use after free in the implementation of DCCP protocol.
A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6074
-
PSBM-57511
General protection fault in sendmsg() -> netlink_sendmsg() -> netlink_unicast().
General protection fault in sendmsg() -> netlink_sendmsg() -> netlink_unicast().
-
PSBM-57499
NULL pointer dereference in write() -> netlink_sendmsg() -> netlink_unicast().
NULL pointer dereference in write() -> netlink_sendmsg() -> netlink_unicast().
-
PSBM-59983
iptables: forwarding does not work with '--netfilter full'.
iptables: forwarding does not work with '--netfilter full'.
-
CVE-2016-9793
Signed overflow for SO_{SND|RCV}BUFFORCE.
Andrey Konovalov discovered that signed integer overflows existed in the setsockopt() system call when handling the SO_SNDBUFFORCE and SO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capability could use this to cause a denial of service (system crash or memory corruption).
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9793.html
-
CVE-2017-2584
kvm: use after free in complete_emulated_mmio.
Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support is vulnerable to a use after free flaw. It could occur on x86 platform, when emulating instructions fxsave, fxrstor, sgdt, etc. A user/process could use this flaw to crash the host kernel resulting in DoS.
https://bugzilla.redhat.com/show_bug.cgi?id=1413001
-
CVE-2017-2583
kvm: vmx/svm potential privilege escalation inside guest.
Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to an incorrect segment selector (SS) value error. The error could occur while loading values into the SS register in long mode. A user/process inside guest could use this flaw to crash the guest resulting in DoS or potentially escalate their privileges inside guest.
https://bugzilla.redhat.com/show_bug.cgi?id=1414735
-
PSBM-57915
fs/fadvise: a way was needed to deactivate pages after cached reads.
Support for FADV_DEACTIVATE flag (fs/fadvise) was added to the kernel to address this.
-
CVE-2015-8539
Keys: general protection fault in trusted_update().
A flaw was found in the handling of negatively instantiated keys in the Linux kernel. A local unprivileged user can use this vulnerability to crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8539
-
CVE-2016-9806
Potential double free in netlink_dump().
A double free vulnerability was found in netlink_dump(), which could cause a denial of service or possibly other unspecified impact.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9806
-
CVE-2016-8645
A BUG() statement can be hit in net/ipv4/tcp_input.c.
It was discovered that the Linux kernel since 3.6-rc1 with net.ipv4.tcp_fastopen set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8645
-
CVE-2016-2053
Kernel panic and system lockup by triggering BUG_ON() in public_key_verify_signature()
A syntax vulnerability was discovered in the kernel's ASN1.1 DER decoder, which could lead to memory corruption or a complete local denial of service through x509 certificate DER files. A local system user could use a specially created key file to trigger BUG_ON() in the public_key_verify_signature() function (crypto/asymmetric_keys/public_key.c), to cause a kernel panic and crash the system.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2053
-
CVE-2016-3070
Null pointer dereference in trace_writeback_dirty_page().
An attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3070