CVE-2016-2779 Kernel CVE debrief

Who should care

Administrators of Linux systems that include util-linux, especially environments where users can run runuser or otherwise interact with trusted terminal sessions. Multi-user hosts, shared systems, and systems that rely on terminal session separation should pay particular attention.

Technical summary

The issue is a local privilege-boundary escape involving terminal input injection through TIOCSTI. The CVSS vector indicates local attack conditions (AV:L), low complexity, low privileges, no user interaction, and high impacts to confidentiality, integrity, and availability. NVD’s vulnerable CPE entry identifies util-linux 2.24.2-1 as affected, and the reference set includes upstream/security mailing-list discussion and a Debian bug report.

Defensive priority

High for exposed multi-user Linux systems. This is not an internet-facing remote exploit, but it can meaningfully weaken session isolation on hosts where local users or scripts can invoke the affected path.

Recommended defensive actions

• Confirm whether installed util-linux packages fall within the vulnerable range identified by NVD.
• Apply the vendor or distribution update that addresses the runuser/TIOCSTI issue.
• Review whether terminal session separation depends on trust assumptions that this flaw could bypass.
• Restrict local shell access and privileged helper use on shared systems where practical.
• Monitor package advisories and distribution security trackers for backported fixes if exact upstream versions are not used.

Evidence notes

The summary is based on the CVE description and NVD record for CVE-2016-2779, which states that runuser in util-linux can be abused via a crafted TIOCSTI ioctl to inject terminal input and escape to the parent session. NVD classifies the issue as CVSS 3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and lists a vulnerable util-linux CPE criterion. Reference links point to OSS-security mailing list posts from 2016-02-27 and a Debian bug report.

Official resources