The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Linux kernel

vulnerability announce 17742

Linux kernel: denial of service via Nested Task

Synthesis of the vulnerability

A local attacker can use system calls on the Linux kernel with CONFIG_IA32_EMULATION, in order to trigger a denial of service.
Impacted products: Fedora, Linux.
Severity: 1/4.
Creation date: 25/08/2015.
Identifiers: CVE-2015-6666-REJECT, FEDORA-2015-15130, FEDORA-2015-15933, VIGILANCE-VUL-17742.

Description of the vulnerability

The Linux kernel can be compiled with CONFIG_IA32_EMULATION.

An x86 processor uses the NT flag (Nested Task - task invoked by CALL). In an optimization, the Linux kernel does not save/restore flags. However, an emulated SYSENTER instruction changes the state, and the NT flag becomes invalid.

A local attacker can therefore use system calls on the Linux kernel with CONFIG_IA32_EMULATION, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-6526

Linux kernel: infinite loop of perf_callchain_user_64

Synthesis of the vulnerability

A local attacker can create a program with a malicious stack layout, in order to generate an infinite loop in the perf_callchain_user_64() function of the Linux kernel.
Impacted products: Linux, openSUSE, RHEL, Ubuntu.
Severity: 1/4.
Creation date: 18/08/2015.
Identifiers: CERTFR-2015-AVI-417, CERTFR-2015-AVI-498, CVE-2015-6526, openSUSE-SU-2016:2144-1, RHSA-2015:2152-02, USN-2759-1, USN-2760-1, VIGILANCE-VUL-17693.

Description of the vulnerability

The Linux kernel can be installed on a ppc64 processor.

The perf_callchain_user_64() function of the arch/powerpc/perf/callchain.c file builds the list of functions calls by unwinding the stack, in order to log this information. However, there is no limit to the number of functions.

A local attacker can therefore create a program with a malicious stack layout, in order to generate an infinite loop in the perf_callchain_user_64() function of the Linux kernel.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2015-6252

Linux kernel: descriptor leak via VHOST_SET_LOG_FD

Synthesis of the vulnerability

A privileged local attacker, accessing to /dev/vhost-net, can create a descriptor leak via VHOST_SET_LOG_FD on the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 18/08/2015.
Identifiers: CERTFR-2015-AVI-411, CERTFR-2015-AVI-417, CERTFR-2015-AVI-435, CERTFR-2015-AVI-508, CERTFR-2016-AVI-050, CVE-2015-6252, DSA-3364-1, openSUSE-SU-2016:2649-1, SUSE-SU-2015:1727-1, SUSE-SU-2015:2108-1, SUSE-SU-2016:0354-1, SUSE-SU-2016:2074-1, USN-2748-1, USN-2749-1, USN-2751-1, USN-2752-1, USN-2759-1, USN-2760-1, USN-2777-1, VIGILANCE-VUL-17692.

Description of the vulnerability

The Linux kernel uses the vhost driver for virtualized environments.

The VHOST_SET_LOG_FD defines the file descriptor where errors have to be logged. However, the vhost_dev_ioctl() function does not save its value, and this descriptor is thus never closed.

A privileged local attacker, accessing to /dev/vhost-net, can therefore create a descriptor leak via VHOST_SET_LOG_FD on the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2015-6496

Linux kernel: denial of service via Conntrack DCCP SCTP ICMPv6

Synthesis of the vulnerability

An attacker can send DCCP, SCTP or ICMPv6 packets to the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Fedora, Linux, netfilter, openSUSE.
Severity: 2/4.
Creation date: 18/08/2015.
Identifiers: 910, CVE-2015-6496, DSA-3341-1, FEDORA-2015-1aee5e6f0b, FEDORA-2015-5eb2131441, openSUSE-SU-2015:1688-1, VIGILANCE-VUL-17691.

Description of the vulnerability

The Linux kernel uses the Netfilter firewall, which implements connection tracking in Conntrack.

The DCCP, SCTP and ICMPv6 modules are optional. However, when a packet is received, and when these modules are not loaded, a fatal error occurs.

An attacker can therefore send DCCP, SCTP or ICMPv6 packets to the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability 17680

Linux kernel: information disclosure via signalfd_copyinfo

Synthesis of the vulnerability

A local attacker can read a memory fragment via copy_siginfo_to_user() of the Linux kernel, in order to obtain sensitive information.
Impacted products: Linux.
Severity: 1/4.
Creation date: 17/08/2015.
Identifiers: VIGILANCE-VUL-17680.

Description of the vulnerability

The Linux kernel implements the support of Unix signals.

However, the signalfd_copyinfo() function oes not initialize a memory area before returning it to the user.

A local attacker can therefore read a memory fragment via signalfd_copyinfo() of the Linux kernel, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note 17679

Linux kernel: information disclosure via copy_siginfo_to_user

Synthesis of the vulnerability

A local attacker can read a memory fragment via copy_siginfo_to_user() of the Linux kernel, in order to obtain sensitive information.
Impacted products: Linux.
Severity: 1/4.
Creation date: 17/08/2015.
Identifiers: VIGILANCE-VUL-17679.

Description of the vulnerability

The Linux kernel implements the support of Unix signals.

However, the copy_siginfo_to_user() function oes not initialize a memory area before returning it to the user.

A local attacker can therefore read a memory fragment via copy_siginfo_to_user() of the Linux kernel, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin 17678

Linux kernel: information disclosure via copy_siginfo_from_user32

Synthesis of the vulnerability

A local attacker can read a memory fragment via copy_siginfo_from_user32() of the Linux kernel, in order to obtain sensitive information.
Impacted products: Linux.
Severity: 1/4.
Creation date: 17/08/2015.
Identifiers: VIGILANCE-VUL-17678.

Description of the vulnerability

The Linux kernel implements the support of Unix signals.

However, the copy_siginfo_from_user32() function oes not initialize a memory area before returning it to the user.

A local attacker can therefore read a memory fragment via copy_siginfo_from_user32() of the Linux kernel, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2015-5156

Linux kernel: buffer overflow of virtnet_probe

Synthesis of the vulnerability

An attacker can generate a buffer overflow in the virtnet_probe() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, NSM Central Manager, NSMXpress, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 06/08/2015.
Identifiers: CERTFR-2015-AVI-435, CERTFR-2015-AVI-436, CERTFR-2018-AVI-206, CERTFR-2018-AVI-224, CERTFR-2018-AVI-241, CVE-2015-5156, DSA-3364-1, FEDORA-2015-0253d1f070, FEDORA-2015-c15f00eb95, JSA10853, RHSA-2015:1977-01, RHSA-2015:1978-01, RHSA-2016:0855-01, SUSE-SU-2015:1727-1, SUSE-SU-2015:2292-1, SUSE-SU-2018:1080-1, SUSE-SU-2018:1172-1, SUSE-SU-2018:1309-1, USN-2773-1, USN-2774-1, USN-2775-1, USN-2776-1, USN-2777-1, USN-2778-1, USN-2779-1, VIGILANCE-VUL-17601.

Description of the vulnerability

A KVM guest system uses the drivers/net/virtio_net.c network driver of the Linux kernel.

However, the NETIF_F_FRAGLIST option is used, so if the number of fragments is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow in the virtnet_probe() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2015-3290 CVE-2015-3291 CVE-2015-5157

Linux kernel: four vulnerabilities of NMI

Synthesis of the vulnerability

Several vulnerabilities were announced in the NMI (Non-maskable interrupt) processing by the Linux kernel.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, NSM Central Manager, NSMXpress, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 23/07/2015.
Revision date: 05/08/2015.
Identifiers: CERTFR-2015-AVI-321, CERTFR-2015-AVI-324, CERTFR-2015-AVI-357, CERTFR-2015-AVI-508, CERTFR-2015-AVI-563, CERTFR-2016-AVI-050, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, CVE-2015-3290, CVE-2015-3291, CVE-2015-5157, DSA-3313-1, FEDORA-2015-12437, JSA10774, JSA10853, openSUSE-SU-2015:1382-1, openSUSE-SU-2015:1842-1, openSUSE-SU-2016:0301-1, openSUSE-SU-2016:0318-1, RHSA-2016:0185-01, RHSA-2016:0212-01, RHSA-2016:0224-01, RHSA-2016:0715-01, SOL17326, SUSE-SU-2015:1727-1, SUSE-SU-2015:2108-1, SUSE-SU-2015:2339-1, SUSE-SU-2015:2350-1, SUSE-SU-2016:0354-1, USN-2687-1, USN-2688-1, USN-2689-1, USN-2690-1, USN-2691-1, USN-2700-1, USN-2701-1, VIGILANCE-VUL-17495.

Description of the vulnerability

Several vulnerabilities were announced in the NMI (Non-maskable interrupt) processing by the Linux kernel.

An attacker can change the execution path of SYSCALL/SYSRET instructions, in order to run code with kernel privileges. [severity:2/4; CVE-2015-3291]

An attacker can generate a memory corruption after an IRET instruction fault, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-5157]

An attacker can generate a log filling, in order to trigger a denial of service. [severity:2/4]

An attacker can generate a memory corruption by nesting NMIs on a 64 bit processor, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-3290]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2015-5707

Linux kernel: integer overflow of SCSI sg_start_req

Synthesis of the vulnerability

A local attacker can generate an integer overflow in the SCSI driver of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Android OS, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 03/08/2015.
Identifiers: CERTFR-2015-AVI-331, CERTFR-2015-AVI-369, CERTFR-2015-AVI-372, CERTFR-2015-AVI-411, CERTFR-2015-AVI-417, CERTFR-2016-AVI-073, CERTFR-2016-AVI-103, CVE-2015-5707, DSA-3329-1, openSUSE-SU-2015:1842-1, openSUSE-SU-2016:0301-1, SOL17475, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, SUSE-SU-2015:2084-1, SUSE-SU-2015:2085-1, SUSE-SU-2015:2086-1, SUSE-SU-2015:2087-1, SUSE-SU-2015:2089-1, SUSE-SU-2015:2090-1, SUSE-SU-2015:2091-1, SUSE-SU-2016:0585-1, SUSE-SU-2016:0785-1, USN-2733-1, USN-2734-1, USN-2737-1, USN-2738-1, USN-2750-1, USN-2759-1, USN-2760-1, VIGILANCE-VUL-17576.

Description of the vulnerability

The drivers/scsi/sg.c file of the Linux kernel implements the generic driver for SCSI.

However, if iov_count is too large, a multiplication overflows in the sg_start_req() function, and an allocated memory area is too short.

A local attacker can therefore generate an integer overflow in the SCSI driver of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Linux kernel: