CVE-2016-5696

MEDIUM

Linux kernel <4.7 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2016-5696. PoCs published by violentshell, jduck, Gnoxter.

AI-analyzed exploit summary This repository contains a functional Python-based proof-of-concept exploit for CVE-2016-5696, a TCP side-channel attack that allows an attacker to infer the source port of a client connecting to a server. The exploit uses Scapy to craft and send TCP packets, synchronizing with the server's clock to infer the ephemeral port range.

Description

net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.

Exploits (5)

nomisec WORKING POC 102 stars
by violentshell · poc
https://github.com/violentshell/rover

This repository contains a functional Python-based proof-of-concept exploit for CVE-2016-5696, a TCP side-channel attack that allows an attacker to infer the source port of a client connecting to a server. The exploit uses Scapy to craft and send TCP packets, synchronizing with the server's clock to infer the ephemeral port range.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Linux-based systems (tested on Ubuntu 14.04 SSH server)
No auth needed
Prerequisites: Python 2.7 · Scapy 2.3.2 · Network access to target server · Ability to send crafted TCP packets
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 75 stars
by jduck · poc
https://github.com/jduck/challack

This repository contains functional proof-of-concept code for CVE-2016-5696, an off-path TCP exploit that allows connection resets or session injection by leveraging challenge ACK attacks. The code demonstrates the attack against both clients and servers, as described in the referenced academic paper.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (TCP stack)
No auth needed
Prerequisites: Ability to spoof packets (no egress filtering) · iptables to drop packets from target host/port
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 40 stars
by Gnoxter · poc
https://github.com/Gnoxter/mountain_goat

This repository contains a functional proof-of-concept exploit for CVE-2016-5696, demonstrating off-path TCP injection techniques. The code includes packet crafting and sequence number inference, though it is not a complete implementation of the full attack chain.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Complex
Reliability
Racy
Target: Linux kernel (TCP stack)
No auth needed
Prerequisites: Network access to target TCP connections · Ability to sniff/craft packets
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by bplinux · poc
https://github.com/bplinux/chackd

This repository contains a functional daemon (chackd) designed to mitigate CVE-2016-5696 by randomizing the kernel parameter tcp_challenge_ack_limit. The code includes a Makefile, daemon initialization, and scripts to manage the daemon.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (versions affected by CVE-2016-5696)
Auth required
Prerequisites: Root access to modify kernel parameters · Linux system with vulnerable kernel
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 1 stars
by unkaktus · poc
https://github.com/unkaktus/grill

This repository contains a Go-based scanner for CVE-2016-5696, a TCP off-path vulnerability in Linux kernel's global rate-limiting mechanism. It sends crafted TCP packets to detect vulnerable hosts by analyzing challenge ACK responses.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2016-5696)
No auth needed
Prerequisites: Network access to target hosts · Ability to send raw TCP packets · Low-latency network path to targets
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (32)

Core 32
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1657.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1814.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91704
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1815.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1939.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3071-1
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1632.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3070-4
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036625
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1631.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1354708
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3072-2
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1633.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1664.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3072-1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/07/12/2
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3071-2
Various Sources x_refsource_confirm
https://security.paloaltonetworks.com/CVE-2016-5696
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Gnoxter/mountain_goat
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3070-1
Various Sources x_refsource_confirm
https://bto.bluecoat.com/security-advisory/sa131
Third Party Advisory x_refsource_confirm
http://source.android.com/security/bulletin/2016-10-01.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3070-3
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3070-2

Scores

CVSS v3 4.8
EPSS 0.1585
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Details

CWE
CWE-200
Status published
Products (4)
google/android < 7.0
linux/linux_kernel < 4.6.6
oracle/vm_server 3.3
oracle/vm_server 3.4
Published Aug 06, 2016
Tracked Since Feb 18, 2026