CVE-2010-3432 — Improper Input Validation in Kernel

CWE-20 — Improper Input Validation CWE-228 — Improper Handling of Syntactically Invalid Structure CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer10 documents6 sources

Severity

7.8HIGHNVD

EPSS

4.3%

top 11.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Canonical Ubuntu Linux Debian Linux +2 more

Timeline

PublishedNov 22

Latest updateMay 13

Description

The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages3 packages

▶NVDlinux/linux_kernel< 2.6.35.6

▶NVDsuse/linux_enterprise_real_time_extension11

▶NVDopensuse/opensuse11.3

Also affects: Debian Linux 5.0, Ubuntu Linux 10.04, 10.10, 6.06, 8.04, 9.04, 9.10

Patches

Patch: marc.info ↗Patch: marc.info ↗Patch: marc.info ↗

🔴Vulnerability Details

GHSA

GHSA-r446-qh2r-fgc7: The sctp_packet_config function in net/sctp/output↗2022-05-13

▶

CVEList

CVE-2010-3432: The sctp_packet_config function in net/sctp/output↗2010-11-20

▶

📋Vendor Advisories

Ubuntu

Linux Kernel vulnerabilities (Marvell Dove)↗2011-03-25

▶

Ubuntu

Linux kernel vulnerabilities↗2011-03-03

▶

Ubuntu

Linux kernel vulnerabilities↗2011-02-28

▶

Ubuntu

Linux kernel vulnerabilities↗2011-02-25

▶

Ubuntu

Linux kernel vulnerabilities↗2010-10-19

▶

💬Community

Bugzilla

CVE-2010-3432 kernel: sctp: do not reset the packet during sctp_packet_config↗2010-09-27

▶