The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Linux_kernel | Linux | * | 3.2.86 (excluding) |
Linux_kernel | Linux | 3.3 (including) | 3.10.106 (excluding) |
Linux_kernel | Linux | 3.11 (including) | 3.12.71 (excluding) |
Linux_kernel | Linux | 3.13 (including) | 3.16.41 (excluding) |
Linux_kernel | Linux | 3.17 (including) | 3.18.49 (excluding) |
Linux_kernel | Linux | 3.19 (including) | 4.1.41 (excluding) |
Linux_kernel | Linux | 4.2 (including) | 4.4.52 (excluding) |
Linux_kernel | Linux | 4.5 (including) | 4.9.13 (excluding) |