CVE-2014-0131 - Use After Free

Severity

28%

Complexity

55%

Confidentiality

48%

Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.

Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.

CVSS 2.0 Base Score 2.9. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N).

Demo Examples

Use After Free

CWE-416

The following example demonstrates the weakness.


               
}
free(buf3R2);

Use After Free

CWE-416

The following code illustrates a use after free error:


               
}
free(ptr);
logError("operation aborted before commit", ptr);

When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function.

Overview

First reported 10 years ago

2014-03-24 16:40:00

Last updated 5 years ago

2019-05-13 18:03:00

Affected Software

Linux Kernel

openSUSE Evergreen 11.4

11.4

SUSE Linux Enterprise Server 11 Service Pack 2 Long Term Service Pack Support

11

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1fd819ecb90cc9b822cd84d3056ddba315d3340f

Patch, Vendor Advisory

SUSE-SU-2015:0481

Third Party Advisory

openSUSE-SU-2015:0566

Third Party Advisory

[oss-security] 20140310 CVE-2014-0131 -- kernel: net: use-after-free during segmentation with zerocopy

Mailing List, Third Party Advisory

[netdev] 20140310 [PATCH 0/5] skbuff: fix skb_segment with zero copy skbs

Mailing List, Third Party Advisory

[netdev] 20140310 [PATCH 5/5] skbuff: skb_segment: orphan frags before copying

Mailing List, Patch, Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1074589

Issue Tracking

https://github.com/torvalds/linux/commit/1fd819ecb90cc9b822cd84d3056ddba315d3340f

Patch, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.