CVE-2016-7118

low-risk
Published 2016-08-31

fs/fcntl.c in the "aufs 3.2.x+setfl-debian" patch in the linux-image package 3.2.0-4 (kernel 3.2.81-1) in Debian wheezy mishandles F_SETFL fcntl calls on directories, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via standard filesystem operations, as demonstrated by scp from an AUFS filesystem.

Do I need to act?

-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Debian

References (6)

http://seclists.org/oss-sec/2016/q3/395
Mailing List http://www.openwall.com/lists/oss-security/2016/08/31/3
http://www.securityfocus.com/bid/92697
http://seclists.org/oss-sec/2016/q3/395
Mailing List http://www.openwall.com/lists/oss-security/2016/08/31/3
http://www.securityfocus.com/bid/92697
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal