# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
101 |
CVE-2016-5728 |
119 |
|
DoS Overflow Mem. Corr. +Info |
2016-06-27 |
2016-11-28 |
5.4 |
None |
Local |
Medium |
Not required |
Partial |
None |
Complete |
Race condition in the vop_ioctl function in drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver in the Linux kernel before 4.6.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (memory corruption and system crash) by changing a certain header, aka a "double fetch" vulnerability. |
102 |
CVE-2016-5696 |
200 |
|
+Info |
2016-08-06 |
2018-01-04 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack. |
103 |
CVE-2016-5244 |
200 |
|
+Info |
2016-06-27 |
2017-02-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a certain structure member, which allows remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message. |
104 |
CVE-2016-5243 |
200 |
|
+Info |
2016-06-27 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel through 4.6.3 does not properly copy a certain string, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message. |
105 |
CVE-2016-4998 |
119 |
|
DoS Overflow +Info |
2016-07-03 |
2018-01-04 |
5.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Complete |
The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary. |
106 |
CVE-2016-4913 |
200 |
|
+Info |
2016-05-23 |
2016-11-28 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem. |
107 |
CVE-2016-4580 |
200 |
|
+Info |
2016-05-23 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request. |
108 |
CVE-2016-4578 |
200 |
|
+Info |
2016-05-23 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions. |
109 |
CVE-2016-4569 |
200 |
|
+Info |
2016-05-23 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface. |
110 |
CVE-2016-4486 |
200 |
|
+Info |
2016-05-23 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message. |
111 |
CVE-2016-4485 |
200 |
|
+Info |
2016-05-23 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory by reading a message. |
112 |
CVE-2016-4482 |
200 |
|
+Info |
2016-05-23 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call. |
113 |
CVE-2016-3713 |
284 |
|
DoS +Info |
2016-06-27 |
2016-06-27 |
5.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Complete |
The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8, which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain sensitive information or cause a denial of service (system crash), via a crafted ioctl call. |
114 |
CVE-2016-2383 |
200 |
|
+Info |
2016-04-27 |
2016-12-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The adjust_branches function in kernel/bpf/verifier.c in the Linux kernel before 4.5 does not consider the delta in the backward-jump case, which allows local users to obtain sensitive information from kernel memory by creating a packet filter and then loading crafted BPF instructions. |
115 |
CVE-2016-2117 |
200 |
|
+Info |
2016-05-02 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data. |
116 |
CVE-2016-0823 |
200 |
|
+Info |
2016-03-12 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allows local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721. |
117 |
CVE-2016-0723 |
362 |
|
DoS +Info |
2016-02-07 |
2016-12-05 |
5.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Complete |
Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call. |
118 |
CVE-2015-8964 |
200 |
|
+Info |
2016-11-16 |
2016-11-28 |
7.1 |
None |
Remote |
Medium |
Not required |
Complete |
None |
None |
The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel before 4.5 allows local users to obtain sensitive information from kernel memory by reading a tty data structure. |
119 |
CVE-2015-8956 |
476 |
|
DoS +Info |
2016-10-10 |
2018-01-04 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. |
120 |
CVE-2015-8950 |
200 |
|
+Info |
2016-10-10 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used in the ION subsystem in Android and other products, does not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory by triggering a dma_mmap call. |
121 |
CVE-2015-8944 |
200 |
|
+Info |
2016-08-06 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The ioresources_init function in kernel/resource.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak permissions for /proc/iomem, which allows local users to obtain sensitive information by reading this file, aka Android internal bug 28814213 and Qualcomm internal bug CR786116. NOTE: the permissions may be intentional in most non-Android contexts. |
122 |
CVE-2015-8575 |
200 |
|
Bypass +Info |
2016-02-07 |
2017-11-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel before 4.3.4 does not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application. |
123 |
CVE-2015-8569 |
200 |
|
Bypass +Info |
2015-12-28 |
2017-11-03 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application. |
124 |
CVE-2015-8374 |
200 |
|
+Info |
2015-12-28 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action. |
125 |
CVE-2015-7885 |
200 |
|
+Info |
2015-12-28 |
2016-12-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application. |
126 |
CVE-2015-7884 |
200 |
|
+Info |
2015-12-28 |
2016-12-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application. |
127 |
CVE-2015-5738 |
200 |
|
+Info |
2016-07-26 |
2017-09-02 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
The RSA-CRT implementation in the Cavium Software Development Kit (SDK) 2.x, when used on OCTEON II CN6xxx Hardware on Linux to support TLS with Perfect Forward Secrecy (PFS), makes it easier for remote attackers to obtain private RSA keys by conducting a Lenstra side-channel attack. |
128 |
CVE-2015-5697 |
200 |
|
+Info |
2015-08-31 |
2017-09-20 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call. |
129 |
CVE-2015-4176 |
200 |
|
+Info |
2016-05-02 |
2016-05-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory. |
130 |
CVE-2015-4004 |
119 |
|
DoS Overflow +Info |
2015-06-07 |
2016-11-28 |
8.5 |
None |
Remote |
Low |
Not required |
Partial |
None |
Complete |
The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet. |
131 |
CVE-2015-2877 |
200 |
|
+Info |
2017-03-03 |
2017-03-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
** DISPUTED ** Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states "Basically if you care about this attack vector, disable deduplication." Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities. |
132 |
CVE-2015-2042 |
17 |
|
+Info |
2015-04-21 |
2017-01-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry. |
133 |
CVE-2015-2041 |
17 |
|
+Info |
2015-04-21 |
2017-01-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry. |
134 |
CVE-2014-9903 |
200 |
|
+Info |
2016-06-27 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The sched_read_attr function in kernel/sched/core.c in the Linux kernel 3.14-rc before 3.14-rc4 uses an incorrect size, which allows local users to obtain sensitive information from kernel stack memory via a crafted sched_getattr system call. |
135 |
CVE-2014-9900 |
200 |
|
+Info |
2016-08-06 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The ethtool_get_wol function in net/core/ethtool.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not initialize a certain data structure, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28803952 and Qualcomm internal bug CR570754. |
136 |
CVE-2014-9895 |
200 |
|
+Info |
2016-08-06 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
drivers/media/media-device.c in the Linux kernel before 3.11, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize certain data structures, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28750150 and Qualcomm internal bug CR570757, a different vulnerability than CVE-2014-1739. |
137 |
CVE-2014-9892 |
200 |
|
+Info |
2016-08-06 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717. |
138 |
CVE-2014-9731 |
17 |
|
+Info |
2015-08-31 |
2017-07-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target's name along with a trailing \0 character, which allows local users to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and fs/udf/unicode.c. |
139 |
CVE-2014-9584 |
20 |
|
+Info |
2015-01-09 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image. |
140 |
CVE-2014-9419 |
200 |
|
Bypass +Info |
2014-12-25 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. |
141 |
CVE-2014-8709 |
200 |
|
+Info |
2014-11-10 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets. |
142 |
CVE-2014-7284 |
200 |
|
+Info |
2014-10-13 |
2014-10-15 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
The net_get_random_once implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before 3.14.5 on certain Intel processors does not perform the intended slow-path operation to initialize random seeds, which makes it easier for remote attackers to spoof or disrupt IP communication by leveraging the predictability of TCP sequence numbers, TCP and UDP port numbers, and IP ID values. |
143 |
CVE-2014-4653 |
|
|
DoS +Info |
2014-07-03 |
2017-01-06 |
6.6 |
None |
Local |
Low |
Not required |
Complete |
None |
Complete |
sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. |
144 |
CVE-2014-4652 |
362 |
|
+Info |
2014-07-03 |
2017-08-28 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. |
145 |
CVE-2014-4027 |
264 |
|
+Info |
2014-06-23 |
2017-01-06 |
2.3 |
None |
Local Network |
Medium |
Single system |
Partial |
None |
None |
The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. |
146 |
CVE-2014-3917 |
200 |
|
DoS +Info |
2014-06-05 |
2016-04-01 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
None |
Partial |
kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. |
147 |
CVE-2014-2608 |
|
|
+Priv +Info |
2014-12-10 |
2014-12-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Unspecified vulnerability in HP Smart Update Manager 6.x before 6.4.1 on Windows, and 6.2.x through 6.4.x before 6.4.1 on Linux, allows local users to obtain sensitive information, and consequently gain privileges, via unknown vectors. |
148 |
CVE-2014-2568 |
399 |
|
+Info |
2014-03-24 |
2017-12-28 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
Use-after-free vulnerability in the nfqnl_zcopy function in net/netfilter/nfnetlink_queue_core.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. NOTE: the affected code was moved to the skb_zerocopy function in net/core/skbuff.c before the vulnerability was announced. |
149 |
CVE-2014-2038 |
20 |
|
+Info |
2014-02-28 |
2014-03-16 |
3.7 |
None |
Local |
High |
Not required |
Partial |
Partial |
Partial |
The nfs_can_extend_write function in fs/nfs/write.c in the Linux kernel before 3.13.3 relies on a write delegation to extend a write operation without a certain up-to-date verification, which allows local users to obtain sensitive information from kernel memory in opportunistic circumstances by writing to a file in an NFS filesystem and then reading the same file. |
150 |
CVE-2014-1739 |
200 |
|
+Info |
2014-06-23 |
2017-12-20 |
1.7 |
None |
Local |
Low |
Single system |
Partial |
None |
None |
The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. |