Vulnerability Details : CVE-2016-10088
The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2016-10088
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Threat overview for CVE-2016-10088
Top countries where our scanners detected CVE-2016-10088
Top open port discovered on systems with this issue
49152
IPs affected by CVE-2016-10088 25,524
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-10088!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-10088
0.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-10088
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST | |
7.0
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.0
|
5.9
|
NIST |
CWE ids for CVE-2016-10088
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-10088
-
http://www.securityfocus.com/bid/95169
Linux Kernel CVE-2016-10088 Incomplete Fix Multiple Local Memory Corruption VulnerabilitiesThird Party Advisory;VDB Entry
-
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=128394eff343fc6d2f32172f03e24829539c5835
kernel/git/torvalds/linux.git - Linux kernel source treePatch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2016/12/30/1
oss-security - Re: Linux Kernel use-after-free in SCSI generic device interfaceMailing List;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-0817.html
RHSA-2017:0817 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1842
RHSA-2017:1842 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:2077
RHSA-2017:2077 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/torvalds/linux/commit/128394eff343fc6d2f32172f03e24829539c5835
sg_write()/bsg_write() is not fit to be called under KERNEL_DS · torvalds/linux@128394e · GitHubPatch;Vendor Advisory
-
http://www.securitytracker.com/id/1037538
Linux Kernel sg_write() and bsg_write() Functions Let Local Users Obtain Root Privileges - SecurityTrackerThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:2669
RHSA-2017:2669 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to