CVE-2017-16939

HIGH

Linux kernel <4.13.11 - Privilege Escalation/DoS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-16939. PoCs published by SecuriTeam, TamiiLambrado.

AI-analyzed exploit summary This PoC exploits a use-after-free vulnerability in the Linux kernel's Netlink socket subsystem (XFRM) to achieve privilege escalation. It manipulates socket buffer sizes to trigger a race condition, leading to a potential read/write primitive.

Description

The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.

Exploits (2)

exploitdb WORKING POC
by SecuriTeam · locallinux
https://www.exploit-db.com/exploits/44049

This PoC exploits a use-after-free vulnerability in the Linux kernel's Netlink socket subsystem (XFRM) to achieve privilege escalation. It manipulates socket buffer sizes to trigger a race condition, leading to a potential read/write primitive.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux kernel (versions affected by CVE-2017-16939)
No auth needed
Prerequisites: Unprivileged user access · Linux kernel with vulnerable XFRM Netlink implementation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 3 stars
by TamiiLambrado · cpoc
https://github.com/TamiiLambrado/CVE-pocs/tree/master/CVE-2017-16939-ipsec-xfrm.c

This PoC exploits a memory corruption vulnerability in the Linux Kernel's XFRM subsystem (CVE-2017-16939) by manipulating the sk_rcvbuf value via setsockopt and triggering a race condition in netlink_dump, leading to potential privilege escalation.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux Kernel (versions affected by CVE-2017-16939)
No auth needed
Prerequisites: Unprivileged user access · Linux kernel with XFRM subsystem enabled
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4082
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.suse.com/show_bug.cgi?id=1069702
Patch, Vendor Advisory x_refsource_misc
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11
Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2017/Nov/40
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1355
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1318
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101954
Exploit, Patch, Third Party Advisory x_refsource_misc
https://blogs.securiteam.com/index.php/archives/3535
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1170
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1190

Scores

CVSS v3 7.8
EPSS 0.1016
EPSS Percentile 93.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (2)
debian/debian_linux 8.0
linux/linux_kernel 2.6.28 - 3.2.97
Published Nov 24, 2017
Tracked Since Feb 18, 2026