CVE-2017-1000253
published 2017-10-05CVE-2017-1000253: Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on…
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2024-09-30
Exploited in the wild
EPSS
10.70%
95.3th percentile
Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| centos | centos | — | — |
| debian | linux | < linux 4.0.2-1 (bookworm) | linux 4.0.2-1 (bookworm) |
| linux | linux_kernel | >= 0 < 4.0.2-1 | 4.0.2-1 |
| linux | linux_kernel | >= 0 < 4.0.2-1 | 4.0.2-1 |
| linux | linux_kernel | >= 0 < 4.0.2-1 | 4.0.2-1 |
| linux | linux_kernel | >= 0 < 4.0.2-1 | 4.0.2-1 |
| linux | linux_kernel | >= 2.6.25 < 3.2.70 | 3.2.70 |
| linux | linux_kernel | >= 3.11 < 3.12.43 | 3.12.43 |
| linux | linux_kernel | >= 3.13 < 3.14.41 | 3.14.41 |
| linux | linux_kernel | >= 3.15 < 3.16.35 | 3.16.35 |
| linux | linux_kernel | >= 3.17 < 3.18.14 | 3.18.14 |
| linux | linux_kernel | >= 3.19 < 3.19.7 | 3.19.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Telegram API calls from Linux servers for C&C communication; the malware uses Telegram's API to send infection status and receive encryption passwords. ↗
- ·The vulnerability is only exploitable when CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE is enabled with a top-down address allocation strategy; systems using legacy VA layout (vm.legacy_va_layout=1) are not exploitable. ↗
- ·Red Hat Enterprise Linux 7 kernels at or after version 3.10.0-693 are not vulnerable; detection rules should account for patched kernel versions. ↗
- ·64-bit processes on Red Hat Enterprise Linux 5 are forced to use the legacy virtual address space layout regardless of vm.legacy_va_layout, making them not exploitable via this vector. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rm92-8pw8-34fm: Linux distributions that have not patched their long-term kernels with https://git
ghsa_unreviewed·2022-05-17
CVE-2017-1000253 [HIGH] CWE-119 GHSA-rm92-8pw8-34fm: Linux distributions that have not patched their long-term kernels with https://git
Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segme
Kernel
binfmt_elf: reintroduce using MAP_FIXED_NOREPLACE
kernel_security·2021-11-08·CVSS 7.8
CVE-2017-1000253 [HIGH] binfmt_elf: reintroduce using MAP_FIXED_NOREPLACE
binfmt_elf: reintroduce using MAP_FIXED_NOREPLACE
Commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf
executable mappings") reverted back to using MAP_FIXED to map ELF LOAD
segments because it was found that the segments in some binaries overlap
and can cause MAP_FIXED_NOREPLACE to fail.
The original intent of MAP_FIXED_NOREPLACE in the ELF loader was to
prevent the silent clobbering of an existing mapping (e.g. stack) by
the ELF image, which could lead to exploitable conditions. Quoting
commit 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map"),
which originally introduced the use of MAP_FIXED_NOREPLACE in the
loader:
Both load_elf_interp and load_elf_binary rely on elf_map to map
segments [to a specific] address and they use MAP_FIXED to enforce
that. This is howe
Kernel
fs, elf: drop MAP_FIXED usage from elf_map
kernel_security·2018-04-10·CVSS 7.8
CVE-2017-1000253 [HIGH] fs, elf: drop MAP_FIXED usage from elf_map
fs, elf: drop MAP_FIXED usage from elf_map
Both load_elf_interp and load_elf_binary rely on elf_map to map segments
on a controlled address and they use MAP_FIXED to enforce that. This is
however dangerous thing prone to silent data corruption which can be
even exploitable.
Let's take CVE-2017-1000253 as an example. At the time (before commit
eab09532d400: "binfmt_elf: use ELF_ET_DYN_BASE only for PIE")
ELF_ET_DYN_BASE was at TASK_SIZE / 3 * 2 which is not that far away from
the stack top on 32b (legacy) memory layout (only 1GB away). Therefore
we could end up mapping over the existing stack with some luck.
The issue has been fixed since then (a87938b2e246: "fs/binfmt_elf.c: fix
bug in loading of PIE binaries"), ELF_ET_DYN_BASE moved moved much
further from the stack (eab09532d400 and l
OSV
CVE-2017-1000253: Linux distributions that have not patched their long-term kernels with https://git
osv·2017-10-05·CVSS 7.8
CVE-2017-1000253 [HIGH] CVE-2017-1000253: Linux distributions that have not patched their long-term kernels with https://git
Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segme
VulnCheck
Linux Kernel PIE Stack Buffer Corruption Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-1000253 [HIGH] CWE-119 Linux Kernel PIE Stack Buffer Corruption Vulnerability
Linux Kernel PIE Stack Buffer Corruption Vulnerability
Linux kernel contains a position-independent executable (PIE) stack buffer corruption vulnerability in load_elf_ binary() that allows a local attacker to escalate privileges.
Affected: Linux Kernel
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.trendmicro.com/en_in/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware_index-update-q221-csw.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/
CISA
Linux Kernel PIE Stack Buffer Corruption Vulnerability
cisa·2024-09-09·CVSS 7.8
CVE-2017-1000253 [HIGH] CWE-119 Linux Kernel PIE Stack Buffer Corruption Vulnerability
Vulnerability: Linux Kernel PIE Stack Buffer Corruption Vulnerability
Affected: Linux Kernel
Linux kernel contains a position-independent executable (PIE) stack buffer corruption vulnerability in load_elf_ binary() that allows a local attacker to escalate privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a87938b2e246b81b4fb713edb371a9fa3c5c3c86; https://nvd.nist.gov/vuln/detail/CVE-2017-1000253
Remediation Due Date: 2024-09-30
Red Hat
kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary
vendor_redhat·2017-09-26·CVSS 7.8
CVE-2017-1000253 [HIGH] CWE-119 kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary
kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary
Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire bin
Debian
CVE-2017-1000253: linux - Linux distributions that have not patched their long-term kernels with https://g...
vendor_debian·2017·CVSS 7.8
CVE-2017-1000253 [HIGH] CVE-2017-1000253: linux - Linux distributions that have not patched their long-term kernels with https://g...
Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segme
No detection rules found.
Qualys
Mutagen Astronomy: From Discovery to CISA Recognition—A Seven-Year Journey
blogs_qualys·2026-02-02·CVSS 7.8
CVE-2018-14634 [HIGH] Mutagen Astronomy: From Discovery to CISA Recognition—A Seven-Year Journey
## Table of Contents
Introduction
Why This Matters Now
Looking Back: The Original Discovery
Guidance for Security Teams
A Note on Our Research Mission
Conclusion
Frequently Asked Questions (FAQs)
## Introduction
On January 26, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2018-14634 to its Known Exploited Vulnerabilities (KEV) catalog . The same vulnerability was discovered by the Qualys Threat Research Unit (TRU) in September 2018.
We nicknamed it “Mutagen Astronomy” as a tribute to the 1992 film Sneakers . In that movie, the phrase “Setec Astronomy” is revealed as an anagram for “Too Many Secrets.” Following that tradition, “Mutagen Astronomy” is our anagram for “Too Many Arguments”, which precisely captures the technical root cause of this vulnera
Qualys
Mutagen Astronomy: A Linux Vulnerability’s Path to CISA KEV | Qualys
blogs_qualys·2026-02-02·CVSS 7.8
CVE-2018-14634 [HIGH] Mutagen Astronomy: A Linux Vulnerability’s Path to CISA KEV | Qualys
#### Table of Contents
- Introduction
- Why This Matters Now
- Looking Back: The Original Discovery
- Guidance for Security Teams
- A Note on Our Research Mission
- Conclusion
- Frequently Asked Questions (FAQs)
## Introduction
On January 26, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2018-14634 to its Known Exploited Vulnerabilities (KEV) catalog. The same vulnerability was discovered by the Qualys Threat Research Unit (TRU) in September 2018.
We nicknamed it “Mutagen Astronomy” as a tribute to the 1992 film Sneakers. In that movie, the phrase “Setec Astronomy” is revealed as an anagram for “Too Many Secrets.” Following that tradition, “Mutagen Astronomy” is our anagram for “Too Many Arguments”, which precisely captures the technical root cause of this
Trendmicro
Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions
blogs_trendmicro·2021-06-17·CVSS 7.8
[HIGH] Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions
Ransomware
# Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions
We investigate how certain hacking tools are used to move laterally on victims’ networks to deploy ransomware. These tools contain reconnaissance/spreader scripts, exploits for Red Hat and CentOS, binary injectors, and more. In this blog, we focus on analyzing the worm and ransomware script.
By: Aliakbar Zahravi
2021/06/17
Read time: ( words)
Save to Folio
A recently discovered Bash ransomware piqued our interest in multiple ways. Upon investigating, we found that the attack chain is fully implemented as a bash script, but it also seems that the scripts are still under development. Most components of this attack mainly target Red Hat and CentOS Linux distributions; however, in some script
Bugzilla
CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary
bugzilla·2017-09-15·CVSS 7.8
CVE-2017-1000253 [HIGH] CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary
CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.
Upstream patch:
https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86
Discussion:
Statement:
This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6. This
http://www.securityfocus.com/bid/101010http://www.securitytracker.com/id/1039434https://access.redhat.com/errata/RHSA-2017:2793https://access.redhat.com/errata/RHSA-2017:2794https://access.redhat.com/errata/RHSA-2017:2795https://access.redhat.com/errata/RHSA-2017:2796https://access.redhat.com/errata/RHSA-2017:2797https://access.redhat.com/errata/RHSA-2017:2798https://access.redhat.com/errata/RHSA-2017:2799https://access.redhat.com/errata/RHSA-2017:2800https://access.redhat.com/errata/RHSA-2017:2801https://access.redhat.com/errata/RHSA-2017:2802https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txthttp://www.securityfocus.com/bid/101010http://www.securitytracker.com/id/1039434https://access.redhat.com/errata/RHSA-2017:2793https://access.redhat.com/errata/RHSA-2017:2794https://access.redhat.com/errata/RHSA-2017:2795https://access.redhat.com/errata/RHSA-2017:2796https://access.redhat.com/errata/RHSA-2017:2797https://access.redhat.com/errata/RHSA-2017:2798https://access.redhat.com/errata/RHSA-2017:2799https://access.redhat.com/errata/RHSA-2017:2800https://access.redhat.com/errata/RHSA-2017:2801https://access.redhat.com/errata/RHSA-2017:2802https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txthttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000253
2017-10-05
Published
2024-09-09
Added to CISA KEV
Exploited in the wild