| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2011-4325 |
|
|
DoS |
2012-01-27 |
2017-08-29 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The NFS implementation in Linux kernel before 2.6.31-rc6 calls certain functions without properly initializing certain data, which allows local users to cause a denial of service (NULL pointer dereference and O_DIRECT oops), as demonstrated using diotest4 from LTP. |
|
2 |
CVE-2011-1577 |
119 |
|
DoS Overflow |
2011-05-03 |
2018-10-09 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Heap-based buffer overflow in the is_gpt_valid function in fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows physically proximate attackers to cause a denial of service (OOPS) or possibly have unspecified other impact via a crafted size of the EFI GUID partition-table header on removable media. |
|
3 |
CVE-2011-1495 |
20 |
|
DoS +Priv Mem. Corr. +Info |
2011-05-03 |
2018-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier does not validate (1) length and (2) offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions. |
|
4 |
CVE-2011-1494 |
189 |
|
DoS Overflow +Priv Mem. Corr. |
2011-05-03 |
2018-10-09 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier might allow local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow. |
|
5 |
CVE-2011-1172 |
200 |
|
+Info |
2011-06-22 |
2015-10-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. |
|
6 |
CVE-2011-1171 |
200 |
|
+Info |
2011-06-22 |
2015-10-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. |
|
7 |
CVE-2011-1170 |
200 |
|
+Info |
2011-06-22 |
2015-10-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. |
|
8 |
CVE-2011-1090 |
399 |
|
DoS |
2011-05-09 |
2018-10-09 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux kernel before 2.6.38 stores NFSv4 ACL data in memory that is allocated by kmalloc but not properly freed, which allows local users to cause a denial of service (panic) via a crafted attempt to set an ACL. |
|
9 |
CVE-2011-0726 |
20 |
|
|
2011-07-18 |
2015-10-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary. |
|
10 |
CVE-2010-3086 |
|
|
DoS |
2011-01-14 |
2018-10-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
include/asm-x86/futex.h in the Linux kernel before 2.6.25 does not properly implement exception fixup, which allows local users to cause a denial of service (panic) via an invalid application that triggers a page fault. |
|
11 |
CVE-2010-3015 |
189 |
|
DoS Overflow |
2010-08-20 |
2018-10-10 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation. |
|
12 |
CVE-2010-2521 |
119 |
|
DoS Exec Code Overflow |
2010-09-07 |
2018-10-10 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. |
|
13 |
CVE-2010-2248 |
20 |
|
DoS |
2010-09-07 |
2018-10-10 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. |
|
14 |
CVE-2010-1643 |
|
|
DoS |
2010-06-03 |
2017-08-17 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. |
|
15 |
CVE-2010-1641 |
264 |
|
Bypass |
2010-06-01 |
2018-10-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request. |
|
16 |
CVE-2010-1488 |
399 |
|
DoS |
2010-04-20 |
2012-03-19 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The proc_oom_score function in fs/proc/base.c in the Linux kernel before 2.6.34-rc4 uses inappropriate data structures during selection of a candidate for the OOM killer, which might allow local users to cause a denial of service via unspecified patterns of task creation. |
|
17 |
CVE-2010-1437 |
362 |
|
DoS Mem. Corr. |
2010-05-07 |
2018-10-10 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function. |
|
18 |
CVE-2010-1173 |
20 |
|
DoS |
2010-05-07 |
2018-10-10 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. |
|
19 |
CVE-2010-1162 |
|
|
|
2010-04-20 |
2012-03-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors. |
|
20 |
CVE-2010-1083 |
399 |
|
+Info |
2010-04-06 |
2018-10-10 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
The processcompl_compat function in drivers/usb/core/devio.c in Linux kernel 2.6.x through 2.6.32, and possibly other versions, does not clear the transfer buffer before returning to userspace when a USB command fails, which might make it easier for physically proximate attackers to obtain sensitive information (kernel memory). |
|
21 |
CVE-2010-0622 |
|
|
DoS |
2010-02-15 |
2018-10-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. |
|
22 |
CVE-2010-0437 |
|
|
DoS |
2010-03-24 |
2018-10-10 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux kernel before 2.6.27 does not properly handle certain circumstances involving an IPv6 TUN network interface and a large number of neighbors, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via unknown vectors. |
|
23 |
CVE-2010-0415 |
|
|
DoS |
2010-02-17 |
2018-10-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set. |
|
24 |
CVE-2010-0007 |
264 |
|
Bypass |
2010-01-19 |
2018-10-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application. |
|
25 |
CVE-2009-4308 |
399 |
|
DoS |
2009-12-13 |
2018-10-10 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. |
|
26 |
CVE-2009-4307 |
189 |
|
DoS |
2009-12-13 |
2017-09-19 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 2.6.32-git6 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value). |
|
27 |
CVE-2009-4306 |
|
|
DoS |
2009-12-13 |
2012-03-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Unspecified vulnerability in the EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel 2.6.32-git6 and earlier allows local users to cause a denial of service (filesystem corruption) via unknown vectors, a different vulnerability than CVE-2009-4131. |
|
28 |
CVE-2009-4141 |
399 |
|
+Priv |
2010-01-19 |
2017-09-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file. |
|
29 |
CVE-2009-4138 |
399 |
|
DoS |
2009-12-16 |
2017-09-19 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field. |
|
30 |
CVE-2009-4131 |
264 |
|
|
2009-12-13 |
2012-03-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel before 2.6.32-git6 allows local users to overwrite arbitrary files via a crafted request, related to insufficient checks for file permissions. |
|
31 |
CVE-2009-4027 |
362 |
|
DoS |
2009-12-02 |
2017-09-19 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session. |
|
32 |
CVE-2009-4026 |
|
|
DoS |
2009-12-02 |
2012-03-19 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (panic) via a crafted Delete Block ACK (aka DELBA) packet, related to an erroneous "code shuffling patch." |
|
33 |
CVE-2009-4021 |
399 |
|
DoS |
2009-11-25 |
2017-09-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel before 2.6.32-rc7 might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack. |
|
34 |
CVE-2009-4005 |
119 |
|
Overflow |
2009-11-20 |
2017-09-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. |
|
35 |
CVE-2009-3939 |
264 |
|
|
2009-11-16 |
2017-09-19 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file. |
|
36 |
CVE-2009-3888 |
399 |
|
DoS |
2009-11-16 |
2012-03-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before 2.6.31.6, when the CPU lacks a memory management unit, allows local users to cause a denial of service (OOPS) via an application that attempts to allocate a large amount of memory. |
|
37 |
CVE-2009-3722 |
264 |
|
DoS |
2009-10-30 |
2017-09-19 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. |
|
38 |
CVE-2009-3640 |
20 |
|
DoS +Priv |
2009-10-29 |
2017-08-17 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc1 does not properly handle the absence of an Advanced Programmable Interrupt Controller (APIC), which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via a call to the kvm_vcpu_ioctl function. |
|
39 |
CVE-2009-3638 |
189 |
|
Overflow |
2009-10-29 |
2017-08-17 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.31.4 allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function. |
|
40 |
CVE-2009-3624 |
310 |
|
DoS +Priv |
2009-11-02 |
2012-03-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The get_instantiation_keyring function in security/keys/keyctl.c in the KEYS subsystem in the Linux kernel before 2.6.32-rc5 does not properly maintain the reference count of a keyring, which allows local users to gain privileges or cause a denial of service (OOPS) via vectors involving calls to this function without specifying a keyring by ID, as demonstrated by a series of keyctl request2 and keyctl list commands. |
|
41 |
CVE-2009-3623 |
287 |
|
DoS |
2009-10-30 |
2012-03-19 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The lookup_cb_cred function in fs/nfsd/nfs4callback.c in the nfsd4 subsystem in the Linux kernel before 2.6.31.2 attempts to access a credentials cache even when a client specifies the AUTH_NULL authentication flavor, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an NFSv4 mount request. |
|
42 |
CVE-2009-3620 |
20 |
|
DoS +Priv |
2009-10-22 |
2017-09-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. |
|
43 |
CVE-2009-3238 |
310 |
|
|
2009-09-18 |
2018-07-28 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time." |
|
44 |
CVE-2009-3043 |
399 |
|
DoS +Priv |
2009-09-02 |
2012-03-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The tty_ldisc_hangup function in drivers/char/tty_ldisc.c in the Linux kernel 2.6.31-rc before 2.6.31-rc8 allows local users to cause a denial of service (system crash, sometimes preceded by a NULL pointer dereference) or possibly gain privileges via certain pseudo-terminal I/O activity, as demonstrated by KernelTtyTest.c. |
|
45 |
CVE-2009-2909 |
189 |
|
DoS |
2009-10-20 |
2012-03-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Integer signedness error in the ax25_setsockopt function in net/ax25/af_ax25.c in the ax25 subsystem in the Linux kernel before 2.6.31.2 allows local users to cause a denial of service (OOPS) via a crafted optlen value in an SO_BINDTODEVICE operation. |
|
46 |
CVE-2009-2849 |
|
|
DoS |
2009-08-18 |
2017-09-19 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 might allow local users to cause a denial of service (NULL pointer dereference) via vectors related to "suspend_* sysfs attributes" and the (1) suspend_lo_store or (2) suspend_hi_store functions. NOTE: this is only a vulnerability when sysfs is writable by an attacker. |
|
47 |
CVE-2009-2846 |
264 |
|
Bypass |
2009-08-18 |
2017-08-17 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function. |
|
48 |
CVE-2009-2695 |
119 |
|
Overflow +Priv |
2009-08-28 |
2017-09-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs. |
|
49 |
CVE-2009-2407 |
119 |
|
DoS Overflow +Priv |
2009-07-31 |
2018-10-10 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet. |
|
50 |
CVE-2009-2406 |
119 |
|
DoS Overflow +Priv |
2009-07-31 |
2018-10-30 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size. |
