crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does notverify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c.
NOTE: The following CVSS v2.0 metrics and score provided are preliminary and subject to review.
|Base Score:||4.9||Base Metrics:||AV:L/AC:L/Au:N/C:N/I:N/A:C|
|Access Vector:||Local network||Attack Complexity:||Low|
|Authentication:||None required||Confidentiality Impact:||None|
|Integrity Impact:||None||Availability Impact:||Complete|
|Oracle Linux version 7 (kernel)||ELSA-2017-1842||2017-08-07|
|Oracle Linux version 7 (kernel)||ELSA-2017-1842-1||2017-08-15|
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team