CVE-2016-4470

Current Description

The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command.

Evaluator Description

CWE-416: Use After Free

Basic Data

PublishedJune 27, 2016
Last ModifiedDecember 27, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:L/AC:L/Au:N/C:N/I:N/A:C
CVSS 2 - Access VectorLOCAL
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score4.9
SeverityMEDIUM
Exploitability Score3.9
Impact Score6.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 3 - Attack VectorLOCAL
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredLOW
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactNONE
CVSS 3 - Integrity ImpactNONE
CVSS 3 - Availability ImpactHIGH
CVSS 3 - Base Score5.5
CVSS 3 - Base SeverityMEDIUM
Exploitability Score1.8
Base SeverityMEDIUM

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSOracleVm Server3.3*******
    2.3OSOracleVm Server3.4*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSOracleLinux5.0*******
    2.3OSOracleLinux6*******
    2.3OSOracleLinux7*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSLinuxLinux Kernel********4.6.3
  • OR - Configuration 4
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSNovellSuse Linux Enterprise Real Time Extension12.0sp1******
  • OR - Configuration 5
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatEnterprise Mrg2.0*******
    2.3OSRedhatEnterprise Linux6.0*******
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux For Real Time7.0*******
    2.3OSRedhatEnterprise Linux Hpc Node7.0*******
    2.3OSRedhatEnterprise Linux Hpc Node Eus7.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Server Aus7.2*******
    2.3OSRedhatEnterprise Linux Server Eus7.2*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******

Vulnerable Software List

VendorProductVersions
Novell Suse Linux Enterprise Real Time Extension 12.0
Redhat Enterprise Linux Workstation 7.0
Redhat Enterprise Linux For Real Time 7.0
Redhat Enterprise Linux 6.0
Redhat Enterprise Linux Desktop 7.0
Redhat Enterprise Linux Server Aus 7.2
Redhat Enterprise Linux Server Eus 7.2
Redhat Enterprise Mrg 2.0
Redhat Enterprise Linux Hpc Node Eus 7.0
Redhat Enterprise Linux Hpc Node 7.0
Redhat Enterprise Linux Server 7.0
Oracle Linux 5.0, 6, 7
Oracle Vm Server 3.3, 3.4
Linux Linux Kernel *

References

NameSourceURLTags
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d07312c89360ac9229ahttp://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d0731CONFIRMVendor Advisory
SUSE-SU-2016:1937http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.htmlSUSEThird Party Advisory
SUSE-SU-2016:1961http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00003.htmlSUSE
SUSE-SU-2016:1985http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.htmlSUSE
SUSE-SU-2016:1994http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00008.htmlSUSE
SUSE-SU-2016:1995http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00009.htmlSUSE
SUSE-SU-2016:1998http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00012.htmlSUSE
SUSE-SU-2016:1999http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00013.htmlSUSE
SUSE-SU-2016:2000http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00014.htmlSUSE
SUSE-SU-2016:2001http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00015.htmlSUSE
SUSE-SU-2016:2002http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00016.htmlSUSE
SUSE-SU-2016:2003http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00017.htmlSUSE
SUSE-SU-2016:2005http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00018.htmlSUSE
SUSE-SU-2016:2006http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00019.htmlSUSE
SUSE-SU-2016:2007http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00020.htmlSUSE
SUSE-SU-2016:2009http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00021.htmlSUSE
SUSE-SU-2016:2010http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00022.htmlSUSE
SUSE-SU-2016:2011http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00023.htmlSUSE
SUSE-SU-2016:2014http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00026.htmlSUSE
SUSE-SU-2016:2018http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00027.htmlSUSE
SUSE-SU-2016:2105http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.htmlSUSE
openSUSE-SU-2016:2184http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.htmlSUSE
RHSA-2016:1532http://rhn.redhat.com/errata/RHSA-2016-1532.htmlREDHATThird Party Advisory
RHSA-2016:1539http://rhn.redhat.com/errata/RHSA-2016-1539.htmlREDHATThird Party Advisory
RHSA-2016:1541http://rhn.redhat.com/errata/RHSA-2016-1541.htmlREDHATThird Party Advisory
RHSA-2016:1657http://rhn.redhat.com/errata/RHSA-2016-1657.htmlREDHAT
RHSA-2016:2006http://rhn.redhat.com/errata/RHSA-2016-2006.htmlREDHAT
RHSA-2016:2074http://rhn.redhat.com/errata/RHSA-2016-2074.htmlREDHAT
RHSA-2016:2076http://rhn.redhat.com/errata/RHSA-2016-2076.htmlREDHAT
RHSA-2016:2128http://rhn.redhat.com/errata/RHSA-2016-2128.htmlREDHAT
RHSA-2016:2133http://rhn.redhat.com/errata/RHSA-2016-2133.htmlREDHAT
DSA-3607http://www.debian.org/security/2016/dsa-3607DEBIAN
[oss-security] 20160615 CVE-2016-4470: Linux kernel Uninitialized variable in request_key handling user controlled kfree().http://www.openwall.com/lists/oss-security/2016/06/15/11MLIST
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlCONFIRMThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlCONFIRM
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlCONFIRMVendor Advisory
1036763http://www.securitytracker.com/id/1036763SECTRACK
USN-3049-1http://www.ubuntu.com/usn/USN-3049-1UBUNTU
USN-3050-1http://www.ubuntu.com/usn/USN-3050-1UBUNTU
USN-3051-1http://www.ubuntu.com/usn/USN-3051-1UBUNTU
USN-3052-1http://www.ubuntu.com/usn/USN-3052-1UBUNTU
USN-3053-1http://www.ubuntu.com/usn/USN-3053-1UBUNTU
USN-3054-1http://www.ubuntu.com/usn/USN-3054-1UBUNTU
USN-3055-1http://www.ubuntu.com/usn/USN-3055-1UBUNTU
USN-3056-1http://www.ubuntu.com/usn/USN-3056-1UBUNTU
USN-3057-1http://www.ubuntu.com/usn/USN-3057-1UBUNTU
https://bugzilla.redhat.com/show_bug.cgi?id=1341716https://bugzilla.redhat.com/show_bug.cgi?id=1341716CONFIRMIssue Tracking Third Party Advisory VDB Entry
https://github.com/torvalds/linux/commit/38327424b40bcebe2de92d07312c89360ac9229ahttps://github.com/torvalds/linux/commit/38327424b40bcebe2de92d07312c89360ac9229aCONFIRMVendor Advisory