cbcvebase.
CVE-2016-0728
published 2016-02-08

CVE-2016-0728: The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which…

PriorityP277high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
3.65%
88.2th percentile
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.

Affected

44 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianlinux< linux 4.3.3-6 (bookworm)linux 4.3.3-6 (bookworm)
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

commandkeyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name)
commandkeyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING)
  • Detect repeated KEYCTL_JOIN_SESSION_KEYRING syscalls in a tight loop from a single process — the exploit increments the keyring refcount from 1 to 0xfffffffd to trigger integer overflow.
  • Alert on KEYCTL_REVOKE issued against KEY_SPEC_SESSION_KEYRING immediately after a high-volume KEYCTL_JOIN_SESSION_KEYRING loop — this is the trigger step of the use-after-free exploit.
  • Flag processes reading /proc/kallsyms to resolve commit_creds and prepare_kernel_cred symbols — used by the modified exploit variant to locate privilege-escalation gadgets without hardcoded addresses.
  • ·The exploit uses hardcoded kernel symbol addresses (commit_creds, prepare_kernel_cred) that are specific to a particular kernel build; the variant reading /proc/kallsyms dynamically resolves these and is more portable.
  • ·The exploit requires the keyutils library at compile time (-lkeyutils) and must be run with a keyring name argument; detection should account for the compiled binary name cve_2016_0728 as well as renamed variants.
  • ·The vulnerability affects Linux kernel before 4.4.1; systems running 4.4.1 or later with the patch applied are not susceptible to this specific refcount overflow in join_session_keyring.
  • ·grsecurity/PaX mitigations prevent this exploit; the modified exploit variant explicitly notes this limitation.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.