CVE-2017-7558

Name of the Vulnerable Software and Affected Versions: Linux kernel versions 4.7-rc1 through 4.13

Description: A kernel data leak was found due to an out-of-bound read in the Linux kernel. This issue affects the inet diag msg sctp{,l}addr fill() and sctp get sctp info() functions, where a data leak occurs when filling in sockaddr data structures used for exporting socket's diagnostic information. As a result, up to 100 bytes of slab data could be leaked to userspace. The vulnerability can be exploited by a local attacker to cause a memory leak.

Recommendations: For Linux kernel versions 4.7-rc1 through 4.13, consider disabling the inet diag msg sctp{,l}addr fill() and sctp get sctp info() functions as a temporary workaround until a patch is available. Restrict access to the vulnerable functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.