Vulnerability Details : CVE-2017-17558
The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.
Vulnerability category: Memory CorruptionDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2017-17558
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 8 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-17558
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
|
6.6
|
MEDIUM | CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
0.7
|
5.9
|
NIST |
CWE ids for CVE-2017-17558
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-17558
-
https://usn.ubuntu.com/3754-1/
USN-3754-1: Linux kernel vulnerabilities | Ubuntu security notices
-
https://www.debian.org/security/2018/dsa-4082
Debian -- Security Information -- DSA-4082-1 linux
-
https://access.redhat.com/errata/RHSA-2019:1170
RHSA-2019:1170 - Security Advisory - Red Hat Customer Portal
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | Oracle
-
https://lists.debian.org/debian-lts-announce/2018/01/msg00004.html
[SECURITY] [DLA 1232-1] linux security update
-
https://www.spinics.net/lists/linux-usb/msg163644.html
[PATCH] USB: core: only clean up what we allocated — Linux USBIssue Tracking;Patch
-
http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html
[security-announce] SUSE-SU-2018:0011-1: important: Security update forThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0676
RHSA-2018:0676 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2018:1062
RHSA-2018:1062 - Security Advisory - Red Hat Customer Portal
-
http://openwall.com/lists/oss-security/2017/12/12/7
oss-security - Re: Linux kernel: multiple vulnerabilities in the USB subsystemMailing List;Third Party Advisory
-
https://usn.ubuntu.com/3619-1/
USN-3619-1: Linux kernel vulnerabilities | Ubuntu security notices
-
https://usn.ubuntu.com/3619-2/
USN-3619-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security notices
-
https://www.debian.org/security/2017/dsa-4073
Debian -- Security Information -- DSA-4073-1 linuxThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1190
RHSA-2019:1190 - Security Advisory - Red Hat Customer Portal
Products affected by CVE-2017-17558
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:extra:*:*:*:*:*:*