cbcvebase.
CVE-2017-16995
published 2017-12-27

CVE-2017-16995: The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or…

PriorityP259high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
30.05%
98.0th percentile
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.

Affected

11 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianlinux< linux 4.14.7-1 (bookworm)linux 4.14.7-1 (bookworm)
linuxlinux_kernel>= 0 < 4.14.7-14.14.7-1
linuxlinux_kernel>= 0 < 4.14.7-14.14.7-1
linuxlinux_kernel>= 0 < 4.14.7-14.14.7-1
linuxlinux_kernel>= 0 < 4.14.7-14.14.7-1
linuxlinux_kernel>= 0 < 4.4.0-119.1434.4.0-119.143
linuxlinux_kernel>= 4.10 < 4.14.94.14.9
linuxlinux_kernel>= 4.9 < 4.9.724.9.72

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rlarabee/exploits/blob/master/cve-2017-16995/cve-2017-16995.c
urlhttps://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c
urlhttp://cyseclabs.com/pub/upstream44.c
bytes
\xb4\x09\x00\x00\xff\xff\xff\xff\x55\x09\x02\x00\xff\xff\xff\xff\xb7\x00\x00\x00\x00\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00
  • Check whether kernel.unprivileged_bpf_disabled is set to 0 (permitting unprivileged BPF loading), which is a prerequisite for exploitation of CVE-2017-16995.
  • Monitor for unprivileged processes invoking the bpf() syscall (__NR_bpf) with BPF_PROG_LOAD and BPF_PROG_TYPE_SOCKET_FILTER, which is the exploit's mechanism for loading a malicious BPF program.
  • Alert on setsockopt calls with SO_ATTACH_BPF from unprivileged processes, used by the exploit to attach the malicious BPF program to a socket.
  • Detect the BPF_DISABLE_VERIFIER macro pattern: a BPF program that loads 0xFFFFFFFF into a 32-bit register and immediately checks equality to bypass the verifier — this is the core sign-extension bypass technique.
  • Monitor for processes writing to /proc/sys/kernel/unprivileged_bpf_disabled or reading kernel version strings (uname -r) followed by BPF syscall activity, which may indicate pre-exploitation reconnaissance.
  • Flag use of PHYS_OFFSET constant 0xffff880000000000 in BPF programs or kernel memory reads, as both public exploit variants use this value to validate leaked kernel pointers.
  • Detect credential-patching pattern: kernel memory writes zeroing uid/gid fields at credptr+UID_OFFSET (offset 4) after reading task_struct->cred at CRED_OFFSET (0x5f8), followed by execve of /bin/bash or /bin/sh.
  • Vulnerable kernel range is 4.0 through 4.14.11 (exclusive); systems running kernels in this range with BPF support enabled should be prioritized for patching or mitigation.
  • ·Exploitation requires unprivileged BPF loading to be permitted. Setting kernel.unprivileged_bpf_disabled=1 prevents exploitation entirely.
  • ·The exploit only works on x86_64 architecture; other architectures are not affected.
  • ·The vulnerability is stated to be unexploitable on authentic grsecurity kernels; only counterfeit/KSPP-patched kernels are affected by the public exploits.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.