CVE-2016-6828
published 2016-10-16CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy…
PriorityP427medium5.5CVSS 3.0
AVLACLPRLUINSUCNINAH
EXPLOIT
EPSS
1.18%
63.8th percentile
The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.7.2-1 (bookworm) | linux 4.7.2-1 (bookworm) |
| android | — | — | |
| linux | linux_kernel | <= 4.7.4 | — |
| linux | linux_kernel | >= 0 < 4.7.2-1 | 4.7.2-1 |
| linux | linux_kernel | >= 0 < 4.7.2-1 | 4.7.2-1 |
| linux | linux_kernel | >= 0 < 4.7.2-1 | 4.7.2-1 |
| linux | linux_kernel | >= 0 < 4.7.2-1 | 4.7.2-1 |
| linux | linux_kernel | >= 0 < 3.13.0-98.145 | 3.13.0-98.145 |
| linux | linux_kernel | >= 0 < 4.4.0-42.62 | 4.4.0-42.62 |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:N/I:N/A:C
osv5.5MEDIUM
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
vendor_ubuntu5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Android
CVE-2016-6828: Android Security Bulletin 2016-11-01
CVE: CVE-2016-6828
Severity: CRITICAL
References: A-31183296
Upstream
kernel
vendor_android·2016-11-01·CVSS 5.5
CVE-2016-6828 [MEDIUM] CVE-2016-6828: Android Security Bulletin 2016-11-01
CVE: CVE-2016-6828
Severity: CRITICAL
References: A-31183296
Upstream
kernel
Android Security Bulletin 2016-11-01
CVE: CVE-2016-6828
Severity: CRITICAL
References: A-31183296
Upstream
kernel
Ubuntu
Linux kernel (OMAP4) vulnerabilities
vendor_ubuntu·2016-10-13·CVSS 4.7
CVE-2016-6136 [MEDIUM] Linux kernel (OMAP4) vulnerabilities
Title: Linux kernel (OMAP4) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the audit subsystem in the
Linux kernel. A local attacker could use this to corrupt audit logs or
disrupt system-call auditing. (CVE-2016-6136)
Pengfei Wang discovered a race condition in the Adaptec AAC RAID controller
driver in the Linux kernel when handling ioctl()s. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-6480)
Instructions: After a standard
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2016-10-11·CVSS 4.7
CVE-2016-6136 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the audit subsystem in the
Linux kernel. A local attacker could use this to corrupt audit logs or
disrupt system-call auditing. (CVE-2016-6136)
Pengfei Wang discovered a race condition in the Adaptec AAC RAID controller
driver in the Linux kernel when handling ioctl()s. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-6480)
Instructions: After a standard system
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2016-10-11·CVSS 5.1
CVE-2016-6480 [MEDIUM] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the kernel.
USN-3099-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) o
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities
vendor_ubuntu·2016-10-11·CVSS 4.7
CVE-2016-6136 [MEDIUM] Linux kernel (Trusty HWE) vulnerabilities
Title: Linux kernel (Trusty HWE) vulnerabilities
Summary: Several security issues were fixed in the kernel.
USN-3098-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a
Ubuntu
Linux kernel (Qualcomm Snapdragon) vulnerabilities
vendor_ubuntu·2016-10-11·CVSS 5.1
CVE-2016-6480 [MEDIUM] Linux kernel (Qualcomm Snapdragon) vulnerabilities
Title: Linux kernel (Qualcomm Snapdragon) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the Adaptec AAC RAID controller
driver in the Linux kernel when handling ioctl()s. A local attacker could
use
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2016-10-11·CVSS 4.7
CVE-2016-6136 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the audit subsystem in the
Linux kernel. A local attacker could use this to corrupt audit logs or
disrupt system-call auditing. (CV
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2016-10-11·CVSS 4.7
CVE-2016-6130 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the s390 SCLP console driver
for the Linux kernel when handling ioctl()s. A local attacker could use
this to obtain sensitive infor
Ubuntu
Linux kernel (Raspberry Pi 2) vulnerabilities
vendor_ubuntu·2016-10-11·CVSS 5.1
CVE-2016-6480 [MEDIUM] Linux kernel (Raspberry Pi 2) vulnerabilities
Title: Linux kernel (Raspberry Pi 2) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the Adaptec AAC RAID controller
driver in the Linux kernel when handling ioctl()s. A local attacker could
use this
Red Hat
kernel: Use after free in tcp_xmit_retransmit_queue
vendor_redhat·2016-08-15·CVSS 5.5
CVE-2016-6828 [MEDIUM] CWE-416 kernel: Use after free in tcp_xmit_retransmit_queue
kernel: Use after free in tcp_xmit_retransmit_queue
The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.
A use-after-free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions. This condition could allow an attacker to send an incorrect selective acknowledgment to existing connections, possibly resetting a connection.
Package: kernel (Red Hat Enterprise Linux 5) - Affected
Debian
CVE-2016-6828: linux - The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before...
vendor_debian·2016·CVSS 5.5
CVE-2016-6828 [MEDIUM] CVE-2016-6828: linux - The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before...
The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.
Scope: local
bookworm: resolved (fixed in 4.7.2-1)
bullseye: resolved (fixed in 4.7.2-1)
forky: resolved (fixed in 4.7.2-1)
sid: resolved (fixed in 4.7.2-1)
trixie: resolved (fixed in 4.7.2-1)
GHSA
GHSA-2cwm-q27v-2mv8: The tcp_check_send_head function in include/net/tcp
ghsa_unreviewed·2022-05-14
CVE-2016-6828 [MEDIUM] CWE-416 GHSA-2cwm-q27v-2mv8: The tcp_check_send_head function in include/net/tcp
The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.
OSV
CVE-2016-6828: The tcp_check_send_head function in include/net/tcp
osv·2016-10-16·CVSS 5.5
CVE-2016-6828 [MEDIUM] CVE-2016-6828: The tcp_check_send_head function in include/net/tcp
The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.
OSV
linux-raspi2 vulnerabilities
osv·2016-10-11·CVSS 5.1
CVE-2016-7039 [MEDIUM] linux-raspi2 vulnerabilities
linux-raspi2 vulnerabilities
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the Adaptec AAC RAID controller
driver in the Linux kernel when handling ioctl()s. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-6480)
OSV
linux vulnerabilities
osv·2016-10-11·CVSS 4.7
CVE-2016-7039 [MEDIUM] linux vulnerabilities
linux vulnerabilities
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the s390 SCLP console driver
for the Linux kernel when handling ioctl()s. A local attacker could use
this to obtain sensitive information from kernel memory. (CVE-2016-6130)
Pengfei Wang discovered a race
OSV
linux-snapdragon vulnerabilities
osv·2016-10-11·CVSS 5.1
CVE-2016-7039 [MEDIUM] linux-snapdragon vulnerabilities
linux-snapdragon vulnerabilities
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the Adaptec AAC RAID controller
driver in the Linux kernel when handling ioctl()s. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-6480)
OSV
linux vulnerabilities
osv·2016-10-11·CVSS 4.7
CVE-2016-7039 [MEDIUM] linux vulnerabilities
linux vulnerabilities
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered a race condition in the audit subsystem in the
Linux kernel. A local attacker could use this to corrupt audit logs or
disrupt system-call auditing. (CVE-2016-6136)
Pengfei Wang discovered a race condition in the Adaptec AAC
OSV
linux-lts-xenial vulnerabilities
osv·2016-10-11·CVSS 5.1
[MEDIUM] linux-lts-xenial vulnerabilities
linux-lts-xenial vulnerabilities
USN-3099-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)
Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)
Pengfei Wang discovered
No detection rules found.
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb1fceca22492109be12640d49f5ea5a544c6bb4http://rhn.redhat.com/errata/RHSA-2017-0036.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0086.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0091.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0113.htmlhttp://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.5http://www.openwall.com/lists/oss-security/2016/08/15/1http://www.securityfocus.com/bid/92452https://bugzilla.redhat.com/show_bug.cgi?id=1367091https://github.com/torvalds/linux/commit/bb1fceca22492109be12640d49f5ea5a544c6bb4https://marcograss.github.io/security/linux/2016/08/18/cve-2016-6828-linux-kernel-tcp-uaf.htmlhttps://source.android.com/security/bulletin/2016-11-01.htmlhttp://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb1fceca22492109be12640d49f5ea5a544c6bb4http://rhn.redhat.com/errata/RHSA-2017-0036.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0086.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0091.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0113.htmlhttp://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.5http://www.openwall.com/lists/oss-security/2016/08/15/1http://www.securityfocus.com/bid/92452https://bugzilla.redhat.com/show_bug.cgi?id=1367091https://github.com/torvalds/linux/commit/bb1fceca22492109be12640d49f5ea5a544c6bb4https://marcograss.github.io/security/linux/2016/08/18/cve-2016-6828-linux-kernel-tcp-uaf.htmlhttps://source.android.com/security/bulletin/2016-11-01.html
2016-10-16
Published