Marcelo Ricardo Leitner - Security Researcher - Exploit Intelligence Platform

CVE-2015-3212 WRITEUP WRITEUP

Linux Kernel < 4.1.1 - Denial of Service via SCTP Socket Race Condition

Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 allows local users to cause a denial of service (list corruption and panic) via a rapid series of system calls related to sockets, as demonstrated by setsockopt calls.

View Code

CVE-2015-5283 WRITEUP WRITEUP

Linux Kernel < 4.2.2 - Denial of Service via SCTP Socket Initialization

The sctp_init function in net/sctp/protocol.c in the Linux kernel before 4.2.3 has an incorrect sequence of protocol-initialization steps, which allows local users to cause a denial of service (panic or memory corruption) by creating SCTP sockets before all of the steps have finished.

View Code

CVE-2016-9555 WRITEUP CRITICAL WRITEUP

Linux Kernel < 3.2.85 - Out-of-bounds Read via SCTP Chunk Length Handling

The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.

CVSS 9.8

View Code

CVE-2017-5986 WRITEUP MEDIUM WRITEUP

Linux Kernel < 4.9.11 - Denial of Service via SCTP Association Peeling Race Condition

Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.

CVSS 5.5

View Code

CVE-2017-6353 WRITEUP MEDIUM WRITEUP

Linux Kernel < 4.10 - Denial of Service via SCTP Association Peel-Off

net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986.

CVSS 5.5

View Code