CVE-2015-1350

MEDIUM

Linux kernel 3.x - DoS

Title source: llm

Description

The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.

References (5)

[Mailing List, Patch, Third Party Advisory] http://marc.info/?l=linux-kernel&m=142153722930533&w=2

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2015/01/24/5

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/76075

[Exploit, Mailing List, Third Party Advisory] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770492

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1185139

Scores

CVSS v3 5.5

EPSS 0.0006

EPSS Percentile 20.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-552

Status draft

Affected Products (5)

linux/linux_kernel < 3.19.8

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_mrg

Timeline

Published May 02, 2016

Tracked Since Feb 18, 2026