PT-2014-5429 · Linux+4 · Linux Kernel+4

Published

2014-09-19

·

Updated

2024-02-02

·

CVE-2014-3631

CVSS v2.0

7.2

High

VectorAV:L/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 3.16.3
Description The issue is related to the associative-array implementation in the Linux kernel, specifically the assoc array gc function, which does not properly implement garbage collection. This allows local users to cause a denial of service, resulting in a NULL pointer dereference and system crash, or possibly have unspecified other impact. The exploitation involves multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
Recommendations For Linux kernel versions prior to 3.16.3, update to version 3.16.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the keyctl command to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2014-2158
ALT-PU-2015-1794
CESA-2014_1971
CVE-2014-3631
MGASA-2014-0451
MGASA-2014-0452
MGASA-2014-0453
MGASA-2014-0454
MGASA-2014-0455
MGASA-2014-0456
MGASA-2014-0459
MGASA-2014-0479
RHSA-2014:1971
RHSA-2014_1971
USN-2378-1
USN-2379-1

Affected Products

Alt Linux
Centos
Linux Kernel
Red Hat
Ubuntu