Vulnerability Details : CVE-2016-8666
The IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039.
Vulnerability category: Denial of service
Products affected by CVE-2016-8666
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Threat overview for CVE-2016-8666
Top countries where our scanners detected CVE-2016-8666
Top open port discovered on systems with this issue
49152
IPs affected by CVE-2016-8666 10,487
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-8666!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-8666
3.52%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-8666
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-8666
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-8666
-
https://bto.bluecoat.com/security-advisory/sa134
SA134 : Linux Kernel Vulnerabilities Oct/Nov 2016
-
https://access.redhat.com/errata/RHSA-2017:0372
Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2016/10/13/11
oss-security - CVE Request: another recursion in GRE
-
http://rhn.redhat.com/errata/RHSA-2016-2110.html
RHSA-2016:2110 - Security Advisory - Red Hat Customer Portal
-
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fac8e0f579695a3ecbc4d3cac369139d7f819971
kernel/git/torvalds/linux.git - Linux kernel source tree
-
https://github.com/torvalds/linux/commit/fac8e0f579695a3ecbc4d3cac369139d7f819971
tunnels: Don't apply GRO to multiple layers of encapsulation. · torvalds/linux@fac8e0f · GitHub
-
http://rhn.redhat.com/errata/RHSA-2016-2107.html
RHSA-2016:2107 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2016-2047.html
-
http://www.securityfocus.com/bid/93562
Linux Kernel CVE-2016-8666 Stack Overflow Denial of Service Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2017-0004.html
RHSA-2017:0004 - Security Advisory - Red Hat Customer Portal
-
https://bugzilla.suse.com/show_bug.cgi?id=1001486
Bug 1001486 – VUL-0: CVE-2016-7039, CVE-2016-8666: kernel-source: remote crash via stack overflow
-
https://bugzilla.redhat.com/show_bug.cgi?id=1384991
1384991 – (CVE-2016-8666) CVE-2016-8666 kernel: Remotely triggerable recursion in GRE code leading to kernel crash
Jump to