CVE-2016-4558
published 2016-05-23CVE-2016-4558: The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or…
PriorityP433high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
0.86%
54.1th percentile
The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | linux | < linux 4.5.3-1 (bookworm) | linux 4.5.3-1 (bookworm) |
| linux | linux_kernel | >= 0 < 4.5.3-1 | 4.5.3-1 |
| linux | linux_kernel | >= 0 < 4.5.3-1 | 4.5.3-1 |
| linux | linux_kernel | >= 0 < 4.5.3-1 | 4.5.3-1 |
| linux | linux_kernel | >= 0 < 4.5.3-1 | 4.5.3-1 |
| linux | linux_kernel | >= 0 < 4.4.0-24.43 | 4.4.0-24.43 |
| linux | linux_kernel | >= 4.4 < 4.4.11 | 4.4.11 |
| linux | linux_kernel | >= 4.5 < 4.5.5 | 4.5.5 |
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.0HIGH
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
vendor_ubuntu5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2016-06-10·CVSS 5.1
CVE-2015-8839 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)
Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)
Multiple race conditions where discovered in the Linux kernel's ext4 file
system. A local user could exploit this flaw to cau
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2016-06-10·CVSS 5.1
CVE-2015-8839 [MEDIUM] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)
Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)
Multiple race conditions where discovered in the Linux kernel's ext4 file
system. A local user could exploit thi
Ubuntu
Linux kernel (Raspberry Pi 2) vulnerabilities
vendor_ubuntu·2016-06-10·CVSS 5.1
CVE-2015-8839 [MEDIUM] Linux kernel (Raspberry Pi 2) vulnerabilities
Title: Linux kernel (Raspberry Pi 2) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)
Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)
Multiple race conditions where discovered in the Linux kernel's ext4 file
system. A local user could exploit
Red Hat
kernel: bpf: refcnt overflow
vendor_redhat·2016-04-28·CVSS 7.0
CVE-2016-4558 [HIGH] CWE-122 kernel: bpf: refcnt overflow
kernel: bpf: refcnt overflow
The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
A flaw was found in the Linux kernel's implementation of BPF in which systems can application can overflow a 32 bit refcount in both program and map refcount. This refcount can wrap and end up a user after free.
Statement: This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4, 5, 6, 7 and Red Hat Enterprise MRG 2.
Package: kernel (Red Hat Enterprise Linux 5) - Not af
Debian
CVE-2016-4558: linux - The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, ...
vendor_debian·2016·CVSS 7.0
CVE-2016-4558 [HIGH] CVE-2016-4558: linux - The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, ...
The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
Scope: local
bookworm: resolved (fixed in 4.5.3-1)
bullseye: resolved (fixed in 4.5.3-1)
forky: resolved (fixed in 4.5.3-1)
sid: resolved (fixed in 4.5.3-1)
trixie: resolved (fixed in 4.5.3-1)
GHSA
GHSA-283c-4h8h-4xmp: The BPF subsystem in the Linux kernel before 4
ghsa_unreviewed·2022-05-17
CVE-2016-4558 [HIGH] GHSA-283c-4h8h-4xmp: The BPF subsystem in the Linux kernel before 4
The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
OSV
linux-raspi2 vulnerabilities
osv·2016-06-10·CVSS 5.1
CVE-2016-2117 [MEDIUM] linux-raspi2 vulnerabilities
linux-raspi2 vulnerabilities
Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)
Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)
Multiple race conditions where discovered in the Linux kernel's ext4 file
system. A local user could exploit this flaw to cause a denial of service
(disk corruption) by writing to a page that
OSV
linux vulnerabilities
osv·2016-06-10·CVSS 5.1
CVE-2016-2117 [MEDIUM] linux vulnerabilities
linux vulnerabilities
Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)
Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)
Multiple race conditions where discovered in the Linux kernel's ext4 file
system. A local user could exploit this flaw to cause a denial of service
(disk corruption) by writing to a page that is asso
OSV
linux-lts-xenial vulnerabilities
osv·2016-06-10·CVSS 5.1
CVE-2016-2117 [MEDIUM] linux-lts-xenial vulnerabilities
linux-lts-xenial vulnerabilities
Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)
Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)
Multiple race conditions where discovered in the Linux kernel's ext4 file
system. A local user could exploit this flaw to cause a denial of service
(disk corruption) by writing to a page t
OSV
CVE-2016-4558: The BPF subsystem in the Linux kernel before 4
osv·2016-05-23·CVSS 7.0
CVE-2016-4558 [HIGH] CVE-2016-4558: The BPF subsystem in the Linux kernel before 4
The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
No detection rules found.
Bugzilla
CVE-2016-4558 kernel: bpf: refcnt overflow
bugzilla·2016-05-09·CVSS 7.0
CVE-2016-4558 [HIGH] CVE-2016-4558 kernel: bpf: refcnt overflow
CVE-2016-4558 kernel: bpf: refcnt overflow
A flaw was found in the Linux kernels implementation of BPF in which systems with more than 32GB of physical memory and unlimited RLIMIT_MEMLOCK settings an application can overflow a 32 bit refcount.
Additionally in the same environment, malicious applications can overflow a map refcount on larger memory (1Tb). When the overflow wraps to zero a reference can be held while being free'd. This can lead to a use after free
CVE assignment:
http://seclists.org/oss-sec/2016/q2/266
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=92117d8443bc5afacc8d5ba82e541946310f106e
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1334311]
---
Statement:
This issue does not affect th
Bugzilla
CVE-2016-4557 CVE-2016-4558 kernel: various flaws [fedora-all]
bugzilla·2016-05-09·CVSS 7.8
CVE-2016-4557 [HIGH] CVE-2016-4557 CVE-2016-4558 kernel: various flaws [fedora-all]
CVE-2016-4557 CVE-2016-4558 kernel: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While o
arXiv
Towards Linux Kernel Memory Safety
arxiv_fulltext·2017-10-17
Towards Linux Kernel Memory Safety
0.5cm1cm
[1]
printacmref=false
plain
[C]
Towards Linux Kernel Memory Safety
Elena Reshetova
Intel OTC Finland
Espoo
Finland
[email protected]
Hans Liljestrand
Aalto University
Espoo
Finland
[email protected]
Andrew Paverd
Aalto University
Espoo
Finland
[email protected]
N.Asokan
Aalto University
Espoo
Finland
[email protected]
E. Reshetova et al.
Submission 44
Submission 44
CCSXML
10002978.10003006.10003007
Security and privacy Operating systems security
500
CCSXML
[500]Security and privacy Operating systems security
Linux kernel, memory safety
## Abstract
The security of billions of devices worldwide depends on the security and robustness of the mainline Linux kernel.
However, the increasing number of kernel-specific vulnerabilities, especiall
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=92117d8443bc5afacc8d5ba82e541946310f106ehttp://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5http://www.openwall.com/lists/oss-security/2016/05/06/4http://www.ubuntu.com/usn/USN-3005-1http://www.ubuntu.com/usn/USN-3006-1http://www.ubuntu.com/usn/USN-3007-1https://bugzilla.redhat.com/show_bug.cgi?id=1334303https://github.com/torvalds/linux/commit/92117d8443bc5afacc8d5ba82e541946310f106ehttp://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=92117d8443bc5afacc8d5ba82e541946310f106ehttp://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5http://www.openwall.com/lists/oss-security/2016/05/06/4http://www.ubuntu.com/usn/USN-3005-1http://www.ubuntu.com/usn/USN-3006-1http://www.ubuntu.com/usn/USN-3007-1https://bugzilla.redhat.com/show_bug.cgi?id=1334303https://github.com/torvalds/linux/commit/92117d8443bc5afacc8d5ba82e541946310f106e
2016-05-23
Published