CVE-2017-12193
CVSS V2 Medium 4.9
CVSS V3 Medium 5.5
Description
The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.
Overview
- CVE ID
- CVE-2017-12193
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Modified
- Published Version
- 2017-11-22T18:29:00
- Last Modified Date
- 2023-02-12T23:28:05
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 1 | OR | 4.13.11 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:L/AC:L/Au:N/C:N/I:N/A:C
- Access Vector
- LOCAL
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- NONE
- Integrity Impact
- NONE
- Availability Impact
- COMPLETE
- Base Score
- 4.9
- Severity
- MEDIUM
- Exploitability Score
- 3.9
- Impact Score
- 6.9
CVSS Version 3
- Version
- 3.0
- Vector String
- CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Attack Vector
- LOCAL
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- NONE
- Availability Impact
- HIGH
- Base Score
- 5.5
- Base Severity
- MEDIUM
- Exploitability Score
- 1.8
- Impact Score
- 3.6
References
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2017-12193 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12193 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 18:41:23 | Added to TrackCVE | |||
| 2022-12-02 23:19:00 | 2017-11-22T18:29Z | 2017-11-22T18:29:00 | CVE Published Date | updated |
| 2022-12-02 23:19:00 | 2018-07-13T01:29:00 | CVE Modified Date | updated | |
| 2022-12-02 23:19:00 | Modified | Vulnerability Status | updated | |
| 2023-02-02 17:06:49 | 2023-02-02T16:18:06 | CVE Modified Date | updated | |
| 2023-02-02 17:06:50 | The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations. | A flaw was found in the Linux kernel's implementation of associative arrays introduced in 3.13. This functionality was backported to the 3.10 kernels in Red Hat Enterprise Linux 7. The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation. This affects the keyring key type and thus key addition and link creation operations may cause the kernel to panic. | Description | updated |
| 2023-02-02 17:06:51 | References | updated | ||
| 2023-02-13 01:07:22 | 2023-02-12T23:28:05 | CVE Modified Date | updated | |
| 2023-02-13 01:07:23 | A flaw was found in the Linux kernel's implementation of associative arrays introduced in 3.13. This functionality was backported to the 3.10 kernels in Red Hat Enterprise Linux 7. The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation. This affects the keyring key type and thus key addition and link creation operations may cause the kernel to panic. | The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations. | Description | updated |