CVE-2015-3636Use After Free in Kernel

CWE-416Use After FreeCWE-908Use of Uninitialized Resource28 documents10 sources
Severity
5.5MEDIUMNVD
NVD4.9OSV4.9
EPSS
3.3%
top 12.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Linux KernelDebian LinuxCanonical Ubuntu Linux+3 more
Timeline
PublishedAug 6
Latest updateMay 14

Description

The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.

CVSS vector

AV:L/AC:L/C:N/I:N/A:CExploitability: 3.9 | Impact: 6.9

Affected Packages6 packages

NVDlinux/linux_kernel< 4.3+1
Debianlinux/linux_kernel< 4.3.1-1+7
Ubuntulinux/linux_kernel< 3.13.0-54.91
debiandebian/linux< linux 4.0.2-1 (bookworm)+1
NVDgoogle/android6.0.1

Also affects: Debian Linux 7.0, Ubuntu Linux 12.04, Enterprise Linux 6.0

🔴Vulnerability Details

7
GHSA
GHSA-67pv-68g5-4j93: The ping_unhash function in net/ipv4/ping2022-05-14
GHSA
GHSA-9548-jjm6-2wmw: The LIST_POISON feature in include/linux/poison2022-05-13
OSV
CVE-2016-0821: The LIST_POISON feature in include/linux/poison2016-03-12
OSV
CVE-2015-3636: The ping_unhash function in net/ipv4/ping2015-08-06
OSV
linux-lts-vivid vulnerabilities2015-06-10

📋Vendor Advisories

13
Debian
CVE-2016-0821: linux - The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3...2016
Red Hat
kernel: Too big poison pointer space2015-09-10
Android
CVE-2015-3636: Android Security Bulletin 2015-09-01 CVE: CVE-2015-3636 Severity: CRITICAL Affected AOSP versions: 52015-09-01
Ubuntu
Linux kernel vulnerabilities2015-06-10
Ubuntu
Linux kernel vulnerabilities2015-06-10

🕵️Threat Intelligence

4
Talos
Fake AV Investigation Unearths KevDroid, New Android Malware2018-04-02
Talos
Fake AV Investigation Unearths KevDroid, New Android Malware2018-04-02
Securelist
Skygofree: Following in the footsteps of HackingTeam2018-01-16
Securelist
Skygofree: Following in the footsteps of HackingTeam2018-01-16

💬Community

2
Bugzilla
CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation [fedora-all]2015-05-04
Bugzilla
CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation2015-05-04