CVE-2017-16649 : The usbnet_generic_cdc_bind function in drivers/net/usb/cdc

The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.

Published 2017-11-07 23:29:00

Updated 2018-11-28 11:29:03

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2017-16649

Linux » Linux Kernel
Versions up to, including, (<=) 4.13.11
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-16649

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 10 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-16649

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
6.6	MEDIUM	CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	0.7	5.9	NIST
Attack Vector: Physical Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-16649

CWE-369 Divide By Zero

The product divides a value by zero.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-16649

https://usn.ubuntu.com/3617-2/

USN-3617-2: Linux (HWE) vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://www.securityfocus.com/bid/101761

Linux Kernel 'drivers/net/usb/cdc_ether.c' Local Denial of Service Vulnerability
Third Party Advisory;VDB Entry
https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html

[SECURITY] [DLA 1200-1] linux security update

CVEs referencing this url
https://usn.ubuntu.com/3617-1/

USN-3617-1: Linux kernel vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://usn.ubuntu.com/3822-1/

USN-3822-1: Linux kernel vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://patchwork.ozlabs.org/patch/834771/

[net,stable] net: cdc_ether: fix divide by 0 on bad descriptors - Patchwork
Mailing List;Third Party Advisory
https://usn.ubuntu.com/3619-1/

USN-3619-1: Linux kernel vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://usn.ubuntu.com/3619-2/

USN-3619-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://usn.ubuntu.com/3617-3/

USN-3617-3: Linux kernel (Raspberry Pi 2) vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://usn.ubuntu.com/3822-2/

USN-3822-2: Linux kernel (Trusty HWE) vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://groups.google.com/d/msg/syzkaller/0e0gmaX9R0g/9Me9JcY2BQAJ

Google Groepen
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-16649

Products affected by CVE-2017-16649

Exploit prediction scoring system (EPSS) score for CVE-2017-16649

CVSS scores for CVE-2017-16649

CWE ids for CVE-2017-16649

References for CVE-2017-16649