| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2006-6333 |
|
|
DoS Mem. Corr. |
2006-12-06 |
2008-09-05 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The tr_rx function in ibmtr.c for Linux kernel 2.6.19 assigns the wrong flag to the ip_summed field, which allows remote attackers to cause a denial of service (memory corruption) via crafted packets that cause the kernel to interpret another field as an offset. |
|
2 |
CVE-2006-6304 |
399 |
|
|
2006-12-14 |
2012-03-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump. |
|
3 |
CVE-2006-6128 |
|
|
DoS Mem. Corr. |
2006-11-26 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The ReiserFS functionality in Linux kernel 2.6.18, and possibly other versions, allows local users to cause a denial of service via a malformed ReiserFS file system that triggers memory corruption when a sync is performed. |
|
4 |
CVE-2006-6106 |
119 |
|
DoS Exec Code Overflow |
2006-12-19 |
2012-03-19 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple buffer overflows in the cmtp_recv_interopmsg function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel 2.4.22 up to 2.4.33.4 and 2.6.2 before 2.6.18.6, and 2.6.19.x, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via CAPI messages with a large value for the length of the (1) manu (manufacturer) or (2) serial (serial number) field. |
|
5 |
CVE-2006-6060 |
|
|
DoS |
2006-11-21 |
2008-09-05 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly other versions, allows local users to cause a denial of service (CPU consumption) via a malformed NTFS file stream that triggers an infinite loop in the __find_get_block_slow function. |
|
6 |
CVE-2006-6058 |
189 |
|
DoS Overflow |
2006-11-21 |
2011-06-20 |
4.0 |
None |
Local |
High |
Not required |
None |
None |
Complete |
|
The minix filesystem code in Linux kernel 2.6.x before 2.6.24, including 2.6.18, allows local users to cause a denial of service (hang) via a malformed minix file stream that triggers an infinite loop in the minix_bmap function. NOTE: this issue might be due to an integer overflow or signedness error. |
|
7 |
CVE-2006-6057 |
|
|
DoS |
2006-11-21 |
2008-09-05 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The Linux kernel 2.6.x up to 2.6.18, and possibly other versions, on Fedora Core 6 and possibly other operating systems, allows local users to cause a denial of service (crash) via a malformed gfs2 file stream that triggers a NULL pointer dereference in the init_journal function. |
|
8 |
CVE-2006-6056 |
|
|
DoS |
2006-11-21 |
2010-09-15 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Linux kernel 2.6.x up to 2.6.18 and possibly other versions, when SELinux hooks are enabled, allows local users to cause a denial of service (crash) via a malformed file stream that triggers a NULL pointer dereference in the superblock_doinit function, as demonstrated using an HFS filesystem image. |
|
9 |
CVE-2006-6054 |
|
|
DoS |
2006-11-21 |
2010-08-21 |
4.0 |
None |
Local |
High |
Not required |
None |
None |
Complete |
|
The ext2 file system code in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext2 stream with malformed data structures that triggers an error in the ext2_check_page due to a length that is smaller than the minimum. |
|
10 |
CVE-2006-6053 |
|
|
DoS |
2006-11-21 |
2010-09-15 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext3 stream with malformed data structures. |
|
11 |
CVE-2006-5871 |
|
|
|
2006-12-11 |
2010-08-21 |
4.1 |
None |
Local |
Medium |
Single system |
Partial |
Partial |
Partial |
|
smbfs in Linux kernel 2.6.8 and other versions, and 2.4.x before 2.4.34, when UNIX extensions are enabled, ignores certain mount options, which could cause clients to use server-specified uid, gid and mode settings. |
|
12 |
CVE-2006-5823 |
|
|
DoS Mem. Corr. |
2006-11-09 |
2010-09-15 |
4.0 |
None |
Local |
High |
Not required |
None |
None |
Complete |
|
The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via a malformed filesystem that uses zlib compression that triggers memory corruption, as demonstrated using cramfs. |
|
13 |
CVE-2006-5757 |
|
|
DoS |
2006-11-06 |
2010-09-15 |
1.2 |
None |
Local |
High |
Not required |
None |
None |
Partial |
|
Race condition in the __find_get_block_slow function in the ISO9660 filesystem in Linux 2.6.18 and possibly other versions allows local users to cause a denial of service (infinite loop) by mounting a crafted ISO9660 filesystem containing malformed data structures. |
|
14 |
CVE-2006-5755 |
|
|
DoS |
2006-12-31 |
2010-08-21 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Linux kernel before 2.6.18, when running on x86_64 systems, does not properly save or restore EFLAGS during a context switch, which allows local users to cause a denial of service (crash) by causing SYSENTER to set an NT flag, which can trigger a crash on the IRET of the next task. |
|
15 |
CVE-2006-5751 |
|
|
Exec Code Overflow |
2006-12-01 |
2010-09-15 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in the get_fdb_entries function in net/bridge/br_ioctl.c in the Linux kernel before 2.6.18.4 allows local users to execute arbitrary code via a large maxnum value in an ioctl request. |
|
16 |
CVE-2006-5749 |
|
|
|
2006-12-31 |
2010-09-15 |
1.7 |
None |
Local |
Low |
Single system |
None |
None |
Partial |
|
The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4 does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash. |
|
17 |
CVE-2006-5701 |
|
|
DoS |
2006-11-03 |
2010-09-15 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Double free vulnerability in squashfs module in the Linux kernel 2.6.x, as used in Fedora Core 5 and possibly other distributions, allows local users to cause a denial of service by mounting a crafted squashfs filesystem. |
|
18 |
CVE-2006-5619 |
399 |
|
DoS |
2006-10-31 |
2012-03-19 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The seqfile handling (ip6fl_get_n function in ip6_flowlabel.c) in Linux kernel 2.6 up to 2.6.18-stable allows local users to cause a denial of service (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels. |
|
19 |
CVE-2006-5174 |
|
|
|
2006-10-10 |
2010-08-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The copy_from_user function in the uaccess code in Linux kernel 2.6 before 2.6.19-rc1, when running on s390, does not properly clear a kernel buffer, which allows local user space programs to read portions of kernel memory by "appending to a file from a bad address," which triggers a fault that prevents the unused memory from being cleared in the kernel buffer. |
|
20 |
CVE-2006-5173 |
|
|
DoS |
2006-10-17 |
2008-11-15 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Linux kernel does not properly save or restore EFLAGS during a context switch, or reset the flags when creating new threads, which allows local users to cause a denial of service (process crash), as demonstrated using a process that sets the Alignment Check flag (EFLAGS 0x40000), which triggers a SIGBUS in other processes that have an unaligned access. |
|
21 |
CVE-2006-5158 |
|
|
DoS |
2006-10-05 |
2012-03-19 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock. |
|
22 |
CVE-2006-4997 |
|
|
DoS |
2006-10-10 |
2010-09-15 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The clip_mkip function in net/atm/clip.c of the ATM subsystem in Linux kernel allows remote attackers to cause a denial of service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (freed pointer dereference). |
|
23 |
CVE-2006-4814 |
399 |
|
|
2006-12-19 |
2011-06-20 |
4.6 |
None |
Local |
Low |
Single system |
None |
None |
Complete |
|
The mincore function in the Linux kernel before 2.4.33.6 does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock. |
|
24 |
CVE-2006-4813 |
|
|
|
2006-10-12 |
2010-09-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The __block_prepare_write function in fs/buffer.c for Linux kernel 2.6.x before 2.6.13 does not properly clear buffers during certain error conditions, which allows local users to read portions of files that have been unlinked. |
|
25 |
CVE-2006-4663 |
|
|
|
2006-09-08 |
2008-09-05 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** The source code tar archive of the Linux kernel 2.6.16, 2.6.17.11, and possibly other versions specifies weak permissions (0666 and 0777) for certain files and directories, which might allow local users to insert Trojan horse source code that would be used during the next kernel compilation. NOTE: another researcher disputes the vulnerability, stating that he finds "Not a single world-writable file or directory." CVE analysis as of 20060908 indicates that permissions will only be weak under certain unusual or insecure scenarios. |
|
26 |
CVE-2006-4623 |
|
|
DoS |
2006-09-11 |
2010-09-15 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The Unidirectional Lightweight Encapsulation (ULE) decapsulation component in dvb-core/dvb_net.c in the dvb driver in the Linux kernel 2.6.17.8 allows remote attackers to cause a denial of service (crash) via an SNDU length of 0 in a ULE packet. |
|
27 |
CVE-2006-4572 |
264 |
|
Bypass |
2006-11-06 |
2012-03-19 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ip6_tables in netfilter in the Linux kernel before 2.6.16.31 allows remote attackers to (1) bypass a rule that disallows a protocol, via a packet with the protocol header not located immediately after the fragment header, aka "ip6_tables protocol bypass bug;" and (2) bypass a rule that looks for a certain extension header, via a packet with an extension header outside the first fragment, aka "ip6_tables extension header bypass bug." |
|
28 |
CVE-2006-4538 |
|
|
DoS |
2006-09-05 |
2010-09-15 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Linux kernel 2.6.17 and earlier, when running on IA64 or SPARC platforms, allows local users to cause a denial of service (crash) via a malformed ELF file that triggers memory maps that cross region boundaries. |
|
29 |
CVE-2006-4535 |
|
|
DoS |
2006-09-19 |
2010-09-15 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The Linux kernel 2.6.17.10 and 2.6.17.11 and 2.6.18-rc5 allows local users to cause a denial of service (crash) via an SCTP socket with a certain SO_LINGER value, possibly related to the patch for CVE-2006-3745. NOTE: older kernel versions for specific Linux distributions are also affected, due to backporting of the CVE-2006-3745 patch. |
|
30 |
CVE-2006-4145 |
399 |
|
DoS |
2006-08-21 |
2012-03-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The Universal Disk Format (UDF) filesystem driver in Linux kernel 2.6.17 and earlier allows local users to cause a denial of service (hang and crash) via certain operations involving truncated files, as demonstrated via the dd command. |
|
31 |
CVE-2006-4093 |
|
|
DoS |
2006-08-21 |
2010-08-21 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Linux kernel 2.x.6 before 2.6.17.9 and 2.4.x before 2.4.33.1 on PowerPC PPC970 systems allows local users to cause a denial of service (crash) related to the "HID0 attention enable on PPC970 at boot time." |
|
32 |
CVE-2006-3745 |
|
|
DoS +Priv |
2006-08-23 |
2012-03-19 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the sctp_make_abort_user function in the SCTP implementation in Linux 2.6.x before 2.6.17.10 and 2.4.23 up to 2.4.33 allows local users to cause a denial of service (panic) and possibly gain root privileges via unknown attack vectors. |
|
33 |
CVE-2006-3741 |
|
|
DoS |
2006-10-10 |
2010-09-15 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The perfmonctl system call (sys_perfmonctl) in Linux kernel 2.4.x and 2.6 before 2.6.18, when running on Itanium systems, does not properly track the reference count for file descriptors, which allows local users to cause a denial of service (file descriptor consumption). |
|
34 |
CVE-2006-3634 |
|
|
DoS |
2006-08-04 |
2011-01-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The (1) __futex_atomic_op and (2) futex_atomic_cmpxchg_inatomic functions in Linux kernel 2.6.17-rc4 to 2.6.18-rc2 perform the atomic futex operation in the kernel address space instead of the user address space, which allows local users to cause a denial of service (crash). |
|
35 |
CVE-2006-3626 |
|
|
+Priv |
2006-07-18 |
2010-09-15 |
6.2 |
Admin |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
Race condition in Linux kernel 2.6.17.4 and earlier allows local users to gain root privileges by using prctl with PR_SET_DUMPABLE in a way that causes /proc/self/environ to become setuid root. |
|
36 |
CVE-2006-3468 |
|
|
DoS |
2006-07-21 |
2010-08-21 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Linux kernel 2.6.x, when using both NFS and EXT3, allows remote attackers to cause a denial of service (file system panic) via a crafted UDP packet with a V2 lookup procedure that specifies a bad file handle (inode number), which triggers an error and causes an exported directory to be remounted read-only. |
|
37 |
CVE-2006-3085 |
|
|
DoS |
2006-06-23 |
2010-09-15 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows attackers to cause a denial of service (infinite loop) via an SCTP chunk with a 0 length. |
|
38 |
CVE-2006-2936 |
399 |
|
DoS |
2006-07-10 |
2012-03-19 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued. |
|
39 |
CVE-2006-2935 |
|
|
Exec Code Overflow |
2006-07-05 |
2010-08-21 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The dvd_read_bca function in the DVD handling code in drivers/cdrom/cdrom.c in Linux kernel 2.2.16, and later versions, assigns the wrong value to a length variable, which allows local users to execute arbitrary code via a crafted USB Storage device that triggers a buffer overflow. |
|
40 |
CVE-2006-2934 |
399 |
|
DoS |
2006-06-30 |
2012-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to cause a denial of service (crash) via a packet without any chunks, which causes a variable to contain an invalid value that is later used to dereference a pointer. |
|
41 |
CVE-2006-2932 |
|
|
DoS |
2006-08-23 |
2012-03-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
A regression error in the restore_all code path of the 4/4GB split support for non-hugemem Linux kernels on Red Hat Linux Desktop and Enterprise Linux 4 allows local users to cause a denial of service (panic) via unspecified vectors. |
|
42 |
CVE-2006-2629 |
|
|
DoS Mem. Corr. |
2006-05-27 |
2008-09-05 |
4.0 |
None |
Local |
High |
Not required |
None |
None |
Complete |
|
Race condition in Linux kernel 2.6.15 to 2.6.17, when running on SMP platforms, allows local users to cause a denial of service (crash) by creating and exiting a large number of tasks, then accessing the /proc entry of a task that is exiting, which causes memory corruption that leads to a failure in the prune_dcache function or a BUG_ON error in include/linux/list.h. |
|
43 |
CVE-2006-2451 |
399 |
|
DoS +Priv |
2006-07-07 |
2012-03-19 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions. |
|
44 |
CVE-2006-2448 |
|
|
DoS |
2006-06-23 |
2010-08-21 |
5.6 |
None |
Local |
High |
Not required |
Complete |
None |
Complete |
|
Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not perform certain required access_ok checks, which allows local users to read arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of service (crash) and possibly read kernel memory on 32-bit systems (signal_32.c). |
|
45 |
CVE-2006-2446 |
|
|
DoS |
2006-08-15 |
2010-08-21 |
5.4 |
None |
Remote |
High |
Not required |
None |
None |
Complete |
|
Race condition between the kfree_skb and __skb_unlink functions in the socket buffer handling in Linux kernel 2.6.9, and possibly other versions, allows remote attackers to cause a denial of service (crash), as demonstrated using the TCP stress tests from the LTP test suite. |
|
46 |
CVE-2006-2445 |
|
|
DoS |
2006-06-23 |
2010-04-02 |
4.0 |
None |
Local |
High |
Not required |
None |
None |
Complete |
|
Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.21 allows local users to cause a denial of service (BUG_ON crash) by causing one CPU to attach a timer to a process that is exiting. |
|
47 |
CVE-2006-2444 |
|
|
DoS |
2006-05-25 |
2010-08-21 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before 2.6.16.18 allows remote attackers to cause a denial of service (crash) via unspecified remote attack vectors that cause failures in snmp_trap_decode that trigger (1) frees of random memory or (2) frees of previously-freed memory (double-free) by snmp_trap_decode as well as its calling function, as demonstrated via certain test cases of the PROTOS SNMP test suite. |
|
48 |
CVE-2006-2071 |
|
|
Bypass |
2006-04-27 |
2010-08-21 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass IPC permissions and modify a readonly attachment of shared memory by using mprotect to give write permission to the attachment. NOTE: some original raw sources combined this issue with CVE-2006-1524, but they are different bugs. |
|
49 |
CVE-2006-1864 |
|
|
Dir. Trav. |
2006-04-26 |
2010-08-21 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863. |
|
50 |
CVE-2006-1863 |
|
|
Dir. Trav. |
2006-04-25 |
2010-08-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864. |
