CVE-2009-2692

Home/CVE/The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socke

CVE

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socke

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

HIGH · CVSS 7.8 EPSS 0.17556

Act now

EPSS ≥ 0.10 - elevated exploitation probability
EPSS percentile: top 5% of all CVEs by exploitation likelihood
Public exploit or PoC is available
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-908Use of Uninitialized Resource

▤

Affected Products & Versions

linux kernel>= 2.4.4 and < 2.4.37.5
linux kernel>= 2.6.0 and < 2.6.30.5
debian linuxall versions
suse linux enterprise real timeall versions
redhat enterprise linux desktopall versions
redhat enterprise linux eusall versions
redhat enterprise linux serverall versions
redhat enterprise linux server ausall versions
Show all 9 affected productsredhat enterprise linux workstationall versions

⚠

Public Exploits & PoCs

localLinux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalation (Metasploit)verified
localLinux Kernel 2.4/2.6 - 'sock_sendpage()' Local Privilege Escalation (3)verified
localLinux Kernel 2.4/2.6 (Fedora 11) - 'sock_sendpage()' Local Privilege Escalation (2)verified
localLinux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalationverified
localLinux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)verified
localLinux Kernel 2.x (Android) - 'sock_sendpage()' Local Privilege Escalationverified
localLinux Kernel 2.x (RedHat) - 'sock_sendpage()' Ring0 Privilege Escalation (1)verified
localLinux Kernel 2.x - 'sock_sendpage()' Local Privilege Escalation (4)verified
pocarchives.neohapsis.com · 0174.htmlarchives.neohapsis.com
pocblog.cr0.org · linux-null-pointer-dereference-due-to.htmlblog.cr0.org
pocwww.exploit-db.com · 19933www.exploit-db.com
pocwww.exploit-db.com · 9477www.exploit-db.com
pocwww.securityfocus.com · 36038www.securityfocus.com

▣

Scoring & Timeline

7.8

HIGH · CVSS v3.1 · cve@mitre.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD14 Aug 2009 · 03:16 PM

CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

⚑

Vendor Advisories

rhsaRHSA-2009:1469Important
rhsaRHSA-2009:1457Important
rhsaRHSA-2009:1223Important
rhsaRHSA-2009:1233Important
rhsaRHSA-2009:1222Important
Show all 7 vendor advisoriesusnUSN-819-1
rhsaRHSA-2009:1239Important