CVE-2016-4470

Severity

49%

Complexity

39%

Confidentiality

115%

CWE-416: Use After Free

The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command.

CWE-416: Use After Free

CVSS 3.0 Base Score 5.5. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0 Base Score 4.9. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C).

Overview

First reported 8 years ago

2016-06-27 10:59:00

Last updated 5 years ago

2019-12-27 16:08:00

Affected Software

Linux Kernel

RedHat Enterprise MRG 2.0

2.0

Red Hat Enterprise Linux 6.0

6.0

RedHat Enterprise Linux Desktop 7.0

7.0

RedHat Enterprise Linux HPC Node 7.0

7.0

RedHat Enterprise Linux Server 7.0

7.0

Red Hat Enterprise Linux Server AUS 7.2

7.2

Red Hat Enterprise Linux Server EUS 7.2

7.2

RedHat Enterprise Linux Workstation 7.0

7.0

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d07312c89360ac9229a

Vendor Advisory

SUSE-SU-2016:1937

Third Party Advisory

SUSE-SU-2016:1961

SUSE-SU-2016:1985

SUSE-SU-2016:1994

SUSE-SU-2016:1995

SUSE-SU-2016:1998

SUSE-SU-2016:1999

SUSE-SU-2016:2000

SUSE-SU-2016:2001

SUSE-SU-2016:2002

SUSE-SU-2016:2003

SUSE-SU-2016:2005

SUSE-SU-2016:2006

SUSE-SU-2016:2007

SUSE-SU-2016:2009

SUSE-SU-2016:2010

SUSE-SU-2016:2011

SUSE-SU-2016:2014

SUSE-SU-2016:2018

SUSE-SU-2016:2105

openSUSE-SU-2016:2184

RHSA-2016:1532

Third Party Advisory

RHSA-2016:1539

Third Party Advisory

RHSA-2016:1541

Third Party Advisory

RHSA-2016:1657

RHSA-2016:2006

RHSA-2016:2074

RHSA-2016:2076

RHSA-2016:2128

RHSA-2016:2133

DSA-3607

[oss-security] 20160615 CVE-2016-4470: Linux kernel Uninitialized variable in request_key handling user controlled kfree().

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

Vendor Advisory

1036763

USN-3049-1

USN-3050-1

USN-3051-1

USN-3052-1

USN-3053-1

USN-3054-1

USN-3055-1

USN-3056-1

USN-3057-1

https://bugzilla.redhat.com/show_bug.cgi?id=1341716

Issue Tracking, Third Party Advisory, VDB Entry

https://github.com/torvalds/linux/commit/38327424b40bcebe2de92d07312c89360ac9229a

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.