CVE-2016-9919

Source
Severity High
Remote Yes
Type Denial of service
Description
The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through 4.8.12 omits a certain check of the dst data structure, which allows remote attackers to cause a denial of service (panic) via a fragmented IPv6 packet.
Group Package Affected Fixed Severity Status Ticket
AVG-104 linux-lts 4.4.36-1 4.4.37-1 High Not affected
AVG-103 linux-grsec 1:4.8.12.r201612062306-1 1:4.8.12.r201612062306-2 High Fixed
AVG-102 linux-zen 4.8.12-2 4.8.13-1 High Fixed
AVG-101 linux 4.8.12-2 4.8.12-3 High Fixed
Date Advisory Group Package Severity Description
12 Dec 2016 ASA-201612-14 AVG-102 linux-zen High denial of service
10 Dec 2016 ASA-201612-11 AVG-103 linux-grsec High denial of service
10 Dec 2016 ASA-201612-10 AVG-101 linux High denial of service
References
https://bugzilla.kernel.org/show_bug.cgi?id=189851
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2
Notes
The issue was introduced in 4.8.10 by 5d41ce29e ("net: icmp6_send should use dst dev to determine L3 domain") and fixed in trunk by 79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2 ("net: handle no dst on skb in icmp6_send").