CVE-2016-4997

The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
2.6.17 ≤
𝑥
< 3.2.80
linuxlinux_kernel
3.3 ≤
𝑥
< 3.10.103
linuxlinux_kernel
3.11 ≤
𝑥
< 3.12.62
linuxlinux_kernel
3.13 ≤
𝑥
< 3.14.73
linuxlinux_kernel
3.15 ≤
𝑥
< 3.16.37
linuxlinux_kernel
3.17 ≤
𝑥
< 3.18.37
linuxlinux_kernel
3.19 ≤
𝑥
< 4.1.28
linuxlinux_kernel
4.2 ≤
𝑥
< 4.4.14
linuxlinux_kernel
4.5 ≤
𝑥
< 4.6.3
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
15.10
canonicalubuntu_linux
16.04
novellsuse_linux_enterprise_software_development_kit
12.0
novellsuse_linux_enterprise_software_development_kit
12.0:sp1
novellsuse_linux_enterprise_desktop
12.0
novellsuse_linux_enterprise_desktop
12.0:sp1
novellsuse_linux_enterprise_live_patching
12.0
novellsuse_linux_enterprise_module_for_public_cloud
12.0
novellsuse_linux_enterprise_real_time_extension
12.0:sp1
novellsuse_linux_enterprise_server
12.0
novellsuse_linux_enterprise_server
12.0:sp1
novellsuse_linux_enterprise_workstation_extension
12.0
novellsuse_linux_enterprise_workstation_extension
12.0:sp1
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.106-3
fixed
bookworm (security)
6.1.112-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.226-1
fixed
sid
6.11.6-1
fixed
trixie
6.11.5-1
fixed
wheezy
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
linux
artful
not-affected
precise
ignored
trusty
Fixed 3.13.0-91.138
released
wily
Fixed 4.2.0-41.48
released
xenial
Fixed 4.4.0-28.47
released
yakkety
not-affected
zesty
not-affected
linux-armadaxp
artful
dne
precise
ignored
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-aws
artful
dne
precise
dne
trusty
not-affected
xenial
not-affected
yakkety
dne
zesty
dne
linux-azure
artful
dne
trusty
not-affected
xenial
not-affected
yakkety
dne
zesty
dne
linux-euclid
artful
dne
trusty
dne
xenial
not-affected
zesty
dne
linux-flo
artful
dne
precise
dne
trusty
dne
wily
ignored
xenial
ignored
yakkety
ignored
zesty
dne
linux-gcp
artful
dne
trusty
dne
xenial
not-affected
yakkety
dne
zesty
dne
linux-gke
artful
dne
precise
dne
trusty
dne
xenial
not-affected
yakkety
dne
zesty
dne
linux-goldfish
artful
dne
precise
dne
trusty
dne
wily
ignored
xenial
ignored
yakkety
ignored
zesty
ignored
linux-grouper
artful
dne
precise
dne
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-hwe
artful
dne
precise
dne
trusty
dne
xenial
not-affected
yakkety
dne
zesty
dne
linux-hwe-edge
artful
dne
precise
dne
trusty
dne
xenial
not-affected
yakkety
dne
zesty
dne
linux-kvm
artful
dne
trusty
dne
xenial
not-affected
zesty
dne
linux-linaro-omap
artful
dne
precise
ignored
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-linaro-shared
artful
dne
precise
ignored
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-linaro-vexpress
artful
dne
precise
ignored
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-lts-quantal
artful
dne
precise
ignored
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-lts-raring
artful
dne
precise
ignored
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-lts-saucy
artful
dne
precise
ignored
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-lts-trusty
artful
dne
precise
Fixed 3.13.0-91.138~precise1
released
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-lts-utopic
artful
dne
precise
dne
trusty
Fixed 3.16.0-76.98~14.04.1
released
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-lts-vivid
artful
dne
precise
dne
trusty
Fixed 3.19.0-64.72~14.04.1
released
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-lts-wily
artful
dne
precise
dne
trusty
Fixed 4.2.0-41.48~14.04.1
released
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-lts-xenial
artful
dne
precise
dne
trusty
Fixed 4.4.0-28.47~14.04.1
released
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-maguro
artful
dne
precise
dne
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-mako
artful
dne
precise
dne
trusty
dne
wily
ignored
xenial
ignored
yakkety
ignored
zesty
dne
linux-manta
artful
dne
precise
dne
trusty
dne
wily
ignored
xenial
dne
yakkety
dne
zesty
dne
linux-oem
artful
dne
trusty
dne
xenial
not-affected
zesty
dne
linux-qcm-msm
artful
dne
precise
ignored
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
linux-raspi2
artful
not-affected
precise
dne
trusty
dne
wily
Fixed 4.2.0-1033.43
released
xenial
Fixed 4.4.0-1016.22
released
yakkety
not-affected
zesty
not-affected
linux-snapdragon
artful
not-affected
precise
dne
trusty
dne
wily
dne
xenial
Fixed 4.4.0-1019.22
released
yakkety
not-affected
zesty
not-affected
linux-ti-omap4
artful
dne
precise
ignored
trusty
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
kernel-default
suse enterprise desktop 15
4.12.14-23.1
fixed
suse enterprise sap 12 SP1
3.12.62-60.62.1
fixed
suse enterprise sap 15
4.12.14-23.1
fixed
suse enterprise server 12
3.12.61-52.66.1
fixed
suse enterprise server 12 SP1
3.12.62-60.62.1
fixed
suse enterprise server 15
4.12.14-23.1
fixed
kernel-default-base
suse enterprise sap 12 SP1
3.12.62-60.62.1
fixed
suse enterprise server 12
3.12.61-52.66.1
fixed
suse enterprise server 12 SP1
3.12.62-60.62.1
fixed
kernel-default-man
suse enterprise sap 12 SP1
3.12.62-60.62.1
fixed
suse enterprise server 12
3.12.61-52.66.1
fixed
suse enterprise server 12 SP1
3.12.62-60.62.1
fixed
kernel-docs
suse enterprise desktop 15
4.12.14-23.1
fixed
suse enterprise sap 15
4.12.14-23.1
fixed
suse enterprise server 15
4.12.14-23.1
fixed
kernel-ec2
suse enterprise sap 12
3.12.62-60.62.1
fixed
suse enterprise sap 12 SP3
3.12.62-60.62.1
fixed
suse enterprise sap 12 SP4
3.12.62-60.62.1
fixed
suse enterprise sap 12 SP5
3.12.62-60.62.1
fixed
suse enterprise server 12
3.12.62-60.62.1
fixed
suse enterprise server 12 SP3
3.12.62-60.62.1
fixed
suse enterprise server 12 SP4
3.12.62-60.62.1
fixed
suse enterprise server 12 SP5
3.12.62-60.62.1
fixed
kernel-ec2-extra
suse enterprise sap 12
3.12.62-60.62.1
fixed
suse enterprise sap 12 SP3
3.12.62-60.62.1
fixed
suse enterprise sap 12 SP4
3.12.62-60.62.1
fixed
suse enterprise sap 12 SP5
3.12.62-60.62.1
fixed
suse enterprise server 12
3.12.62-60.62.1
fixed
suse enterprise server 12 SP3
3.12.62-60.62.1
fixed
suse enterprise server 12 SP4
3.12.62-60.62.1
fixed
suse enterprise server 12 SP5
3.12.62-60.62.1
fixed
kernel-macros
suse enterprise desktop 15
4.12.14-23.1
fixed
suse enterprise sap 12 SP1
3.12.62-60.62.1
fixed
suse enterprise sap 15
4.12.14-23.1
fixed
suse enterprise server 12
3.12.61-52.66.1
fixed
suse enterprise server 12 SP1
3.12.62-60.62.1
fixed
suse enterprise server 15
4.12.14-23.1
fixed
kernel-obs-build
suse enterprise desktop 15
4.12.14-23.1
fixed
suse enterprise sap 15
4.12.14-23.1
fixed
suse enterprise server 15
4.12.14-23.1
fixed
kernel-source
suse enterprise desktop 15
4.12.14-23.1
fixed
suse enterprise sap 12 SP1
3.12.62-60.62.1
fixed
suse enterprise sap 15
4.12.14-23.1
fixed
suse enterprise server 12
3.12.61-52.66.1
fixed
suse enterprise server 12 SP1
3.12.62-60.62.1
fixed
suse enterprise server 15
4.12.14-23.1
fixed
kernel-syms
suse enterprise desktop 15
4.12.14-23.1
fixed
suse enterprise sap 12 SP1
3.12.62-60.62.1
fixed
suse enterprise sap 15
4.12.14-23.1
fixed
suse enterprise server 12
3.12.61-52.66.1
fixed
suse enterprise server 12 SP1
3.12.62-60.62.1
fixed
suse enterprise server 15
4.12.14-23.1
fixed
kernel-vanilla-base
suse enterprise desktop 15
4.12.14-23.1
fixed
suse enterprise sap 15
4.12.14-23.1
fixed
suse enterprise server 15
4.12.14-23.1
fixed
kernel-xen
suse enterprise sap 12 SP1
3.12.62-60.62.1
fixed
suse enterprise server 12
3.12.61-52.66.1
fixed
suse enterprise server 12 SP1
3.12.62-60.62.1
fixed
kernel-xen-base
suse enterprise sap 12 SP1
3.12.62-60.62.1
fixed
suse enterprise server 12
3.12.61-52.66.1
fixed
suse enterprise server 12 SP1
3.12.62-60.62.1
fixed
kgraft-patch-3_12_51-52_31-default-6
suse enterprise server 12
5.1
fixed
kgraft-patch-3_12_51-52_31-xen-6
suse enterprise server 12
5.1
fixed
kgraft-patch-3_12_51-52_34-default-6
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_51-52_34-xen-6
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_51-52_39-default-5
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_51-52_39-xen-5
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_55-52_42-default-3
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_55-52_42-xen-3
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_55-52_45-default-3
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_55-52_45-xen-3
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_60-52_49-default-3
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_60-52_49-xen-3
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_61-52_66-default-1
suse enterprise server 12
2.1
fixed
kgraft-patch-3_12_61-52_66-xen-1
suse enterprise server 12
2.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
kernel
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-abi-whitelists
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-bootwrapper
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-debug
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-debug-devel
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-devel
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-doc
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-headers
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-kdump
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-kdump-devel
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-rt
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-rt-debug
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-rt-debug-devel
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-rt-debug-kvm
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-rt-devel
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-rt-doc
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-rt-kvm
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-rt-trace
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-rt-trace-devel
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-rt-trace-kvm
RHEL 7
0:3.10.0-327.36.1.rt56.237.el7
fixed
kernel-tools
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-tools-libs
RHEL 7
0:3.10.0-327.36.1.el7
fixed
kernel-tools-libs-devel
RHEL 7
0:3.10.0-327.36.1.el7
fixed
perf
RHEL 7
0:3.10.0-327.36.1.el7
fixed
python-perf
RHEL 7
0:3.10.0-327.36.1.el7
fixed
Common Weakness Enumeration
References
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00061.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00048.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00050.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00051.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00052.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00053.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00054.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html
http://rhn.redhat.com/errata/RHSA-2016-1847.html
http://rhn.redhat.com/errata/RHSA-2016-1875.html
http://rhn.redhat.com/errata/RHSA-2016-1883.html
http://www.debian.org/security/2016/dsa-3607
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.3
http://www.openwall.com/lists/oss-security/2016/06/24/5
http://www.openwall.com/lists/oss-security/2016/09/29/10
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
http://www.securityfocus.com/bid/91451
http://www.securitytracker.com/id/1036171
http://www.ubuntu.com/usn/USN-3016-1
http://www.ubuntu.com/usn/USN-3016-2
http://www.ubuntu.com/usn/USN-3016-3
http://www.ubuntu.com/usn/USN-3016-4
http://www.ubuntu.com/usn/USN-3017-1
http://www.ubuntu.com/usn/USN-3017-2
http://www.ubuntu.com/usn/USN-3017-3
http://www.ubuntu.com/usn/USN-3018-1
http://www.ubuntu.com/usn/USN-3018-2
http://www.ubuntu.com/usn/USN-3019-1
http://www.ubuntu.com/usn/USN-3020-1
https://bugzilla.redhat.com/show_bug.cgi?id=1349722
https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt
https://github.com/torvalds/linux/commit/ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05347541
https://www.exploit-db.com/exploits/40435/
https://www.exploit-db.com/exploits/40489/
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00061.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00048.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00050.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00051.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00052.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00053.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00054.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html
http://rhn.redhat.com/errata/RHSA-2016-1847.html
http://rhn.redhat.com/errata/RHSA-2016-1875.html
http://rhn.redhat.com/errata/RHSA-2016-1883.html
http://www.debian.org/security/2016/dsa-3607
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.3
http://www.openwall.com/lists/oss-security/2016/06/24/5
http://www.openwall.com/lists/oss-security/2016/09/29/10
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
http://www.securityfocus.com/bid/91451
http://www.securitytracker.com/id/1036171
http://www.ubuntu.com/usn/USN-3016-1
http://www.ubuntu.com/usn/USN-3016-2
http://www.ubuntu.com/usn/USN-3016-3
http://www.ubuntu.com/usn/USN-3016-4
http://www.ubuntu.com/usn/USN-3017-1
http://www.ubuntu.com/usn/USN-3017-2
http://www.ubuntu.com/usn/USN-3017-3
http://www.ubuntu.com/usn/USN-3018-1
http://www.ubuntu.com/usn/USN-3018-2
http://www.ubuntu.com/usn/USN-3019-1
http://www.ubuntu.com/usn/USN-3020-1
https://bugzilla.redhat.com/show_bug.cgi?id=1349722
https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt
https://github.com/torvalds/linux/commit/ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05347541
https://www.exploit-db.com/exploits/40435/
https://www.exploit-db.com/exploits/40489/