CVE-2014-5077

CWE-476NULL Pointer DereferenceCWE-367CWE-416Use After Free17 documents8 sources
Severity
7.1HIGH
EPSS
12.8%
top 5.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Linux Linux KernelCanonical Ubuntu LinuxRedhat Enterprise Linux EUS+5 more
Timeline
PublishedAug 1
Latest updateMay 13

Description

The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction.

CVSS vector

AV:N/AC:M/C:N/I:N/A:CExploitability: 8.6 | Impact: 6.9

Affected Packages5 packages

NVDlinux/linux_kernel2.6.243.2.63+5
Debianlinux< 3.14.15-1+3

Also affects: Ubuntu Linux 12.04, 14.04, Enterprise Linux 6.5, 6.2

Patches

Patch: bugzilla.redhat.comPatch: github.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
GHSA
GHSA-h74m-54fh-xp9p: The sctp_assoc_update function in net/sctp/associola2022-05-13
OSV
linux vulnerabilities2014-09-23
OSV
CVE-2014-5077: The sctp_assoc_update function in net/sctp/associola2014-08-01
CVEList
CVE-2014-5077: The sctp_assoc_update function in net/sctp/associola2014-08-01

📋Vendor Advisories

9
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities2014-09-23
Ubuntu
Linux kernel vulnerabilities2014-09-23
Ubuntu
Linux kernel (OMAP4) vulnerabilities2014-09-02
Ubuntu
Linux kernel vulnerabilities2014-09-02
Ubuntu
Linux kernel (EC2) vulnerabilities2014-09-02

💬Community

2
Bugzilla
CVE-2014-5077 Kernel: net: SCTP: fix a NULL pointer dereference during INIT collisions [fedora-all]2014-07-28
Bugzilla
CVE-2014-5077 Kernel: net: SCTP: fix a NULL pointer dereference during INIT collisions2014-07-24