CVE-2016-8632

Description

The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability.

CVSS Metrics

• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.05%• Percentile: 15%

Techniques & Countermeasures

• CWE-119•Improper Restriction of Operations within the Bounds of a Memory Buffer

  The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

• CWE-264•Permissions, Privileges, and Access Controls

  Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Affected Systems

• linux•linux_kernel

  ≥ 2.6.16, < 3.2.85 | ≥ 3.3, < 3.16.40 | ≥ 3.17, < 4.1.37 | ≥ 4.2, < 4.4.65 | ≥ 4.5, < 4.8.14

References (4)

• http://www.openwall.com/lists/oss-security/2016/11/08/5
• https://bugzilla.redhat.com/show_bug.cgi?id=1390832
• http://www.securityfocus.com/bid/94211
• https://www.mail-archive.com/netdev%40vger.kernel.org/msg133205.html