CVE-2017-12190

Advisory lineage Upstream: 0 Downstream: 23

Downstream

DEBIAN-CVE-2017-12190 DLA-1200-1 MGASA-2017-0463 MGASA-2017-0466 MGASA-2017-0467 MGASA-2018-0062

Modified

Published: 22 Nov 2017, 18:00

Last modified:05 Aug 2024, 18:28

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.5 MEDIUM

v3.0 (nvd)

EPSS Score

0.08% LOW

0% probability -0.02%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 Nov 2017, 18:00

Published

Vulnerability first disclosed

05 Aug 2024, 18:28

Last Modified

Vulnerability information updated

Description

The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.

CVSS Metrics

v3.0•MEDIUM•Score: 6.5CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
v2.0•MEDIUM•Score: 4.9AV:L/AC:L/Au:N/C:N/I:N/A:C

EPSS Trends

Current EPSS score: 0.08%• Percentile: 23%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
CWE-772•Missing Release of Resource after Effective Lifetime
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Affected Systems

linux•linux_kernel
≤ 4.13.7