cbcvebase.
CVE-2016-5696
published 2016-08-06

CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers…

PriorityP432medium4.8CVSS 3.0
AVNACHPRNUINSUCNILAL
EPSS
15.07%
96.3th percentile
net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 4.7.2-1 (bookworm)linux 4.7.2-1 (bookworm)
googleandroid<= 7.0
googleandroid
linuxlinux_kernel<= 4.6.6
linuxlinux_kernel>= 0 < 4.7.2-14.7.2-1
linuxlinux_kernel>= 0 < 4.7.2-14.7.2-1
linuxlinux_kernel>= 0 < 4.7.2-14.7.2-1
linuxlinux_kernel>= 0 < 4.7.2-14.7.2-1
linuxlinux_kernel>= 0 < 3.13.0-95.1423.13.0-95.142
linuxlinux_kernel>= 0 < 4.4.0-36.554.4.0-36.55
oraclevm_server
oraclevm_server
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector is off-path (blind in-window); attacker exploits the global challenge ACK rate limit counter by creating congestion and measuring changes via probing packets — monitor for abnormal TCP RST or unexpected payload injection in established TCP sessions
  • The vulnerable code path is net/ipv4/tcp_input.c — focus kernel-level monitoring and integrity checks on this file and the challenge ACK rate-limiting logic
  • Attack technique is a blind in-window attack leveraging RFC 5961 challenge ACK rate limiting — detect by monitoring for high rates of challenge ACK segments or anomalous ACK patterns on TCP connections
  • ·Linux kernels shipped with Red Hat Enterprise Linux 4 and 5 are NOT affected by this vulnerability
  • ·Vulnerability is fixed in Linux kernel 4.7 and later; systems running kernel >= 4.7 are not vulnerable

CVSS provenance

nvdv3.04.8MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian4.8MEDIUM
vendor_redhat4.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.