CVE-2017-18509

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 4.11 Linux kernel versions 4.9.x before 4.9.187

Description: An issue was discovered in the Linux kernel that allows an attacker to control a pointer in kernel land and cause a general protection fault, or potentially execute arbitrary code under certain circumstances. This can be triggered as root or after namespace unsharing, and it occurs because sk type and protocol are not checked in the appropriate part of the ip6 mroute * functions. The issue can also lead to a local escalation of privilege with no additional execution privileges needed, due to a logic error in the code that results in a possible out of bounds write in ip6 mroute setsockopt and related functions.

Recommendations: For Linux kernel versions prior to 4.11, update to version 4.11 or later to resolve the issue. For Linux kernel versions 4.9.x, update to version 4.9.187 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ip6 mroute * functions and the CAP NET ADMIN capability to minimize the risk of exploitation.