Vulnerability Details : CVE-2017-14497
The tpacket_rcv function in net/packet/af_packet.c in the Linux kernel before 4.13 mishandles vnet headers, which might allow local users to cause a denial of service (buffer overflow, and disk and memory corruption) or possibly have unspecified other impact via crafted system calls.
Vulnerability category: OverflowMemory CorruptionDenial of service
Products affected by CVE-2017-14497
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-14497
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 14 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-14497
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2017-14497
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-14497
-
http://www.debian.org/security/2017/dsa-3981
Debian -- Security Information -- DSA-3981-1 linuxThird Party Advisory
-
http://www.securitytracker.com/id/1039371
Linux Kernel Buffer Overflow in tpacket_rcv() Lets Local Users Cause Denial of Service Conditions - SecurityTrackerThird Party Advisory;VDB Entry
-
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=edbd58be15a957f6a760c4a514cd475217eb97fd
kernel/git/torvalds/linux.git - Linux kernel source treeIssue Tracking;Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/100871
Linux Kernel CVE-2017-14497 Local Buffer Overflow VulnerabilityVDB Entry;Third Party Advisory
-
https://marc.info/?t=150394517700001&r=1&w=2
'[PATCH] packet: Don't write vnet header beyond end of buffer' thread - MARCMailing List;Patch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1492593
1492593 – (CVE-2017-14497) CVE-2017-14497 kernel: buffer overflow in tpacket_rcv() in net/packet/af_packet.cIssue Tracking;Patch;Third Party Advisory
-
http://seclists.org/oss-sec/2017/q3/476
oss-sec: CVE-2017-14497: Linux kernel: packet: buffer overflow in tpacket_rcv()Mailing List;Third Party Advisory
-
http://www.securitytracker.com/id/1040106
Google Android Bugs Let Remote Users Obtain Sensitive Information, Deny Service, and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
https://github.com/torvalds/linux/commit/edbd58be15a957f6a760c4a514cd475217eb97fd
packet: Don't write vnet header beyond end of buffer · torvalds/linux@edbd58b · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://marc.info/?l=linux-kernel&m=150394500728906&w=2
'[PATCH] packet: Don't write vnet header beyond end of buffer' - MARCMailing List;Patch;Third Party Advisory
-
https://source.android.com/security/bulletin/2018-01-01
Android Security Bulletin—January 2018 | Android Open Source ProjectThird Party Advisory
Jump to