PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-10150 Linux CVE debrief

CVE-2016-10150 is a critical use-after-free vulnerability in the Linux kernel's KVM device creation path, specifically kvm_ioctl_create_device in virt/kvm/kvm_main.c. On affected kernel versions before 4.8.13, a crafted ioctl request against /dev/kvm can cause a host denial of service and may also allow privilege escalation. Systems that run KVM on Linux hosts should treat this as urgent remediation work.

Vendor
Linux
Product
CVE-2016-10150
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-06
Original CVE updated
2026-05-13
Advisory published
2017-02-06
Advisory updated
2026-05-13

Who should care

Linux administrators, virtualization and cloud platform operators, distro maintainers, and anyone running KVM-capable Linux kernels in the affected version range should prioritize this issue. It is especially important for host systems that expose /dev/kvm to trusted but unprivileged local users or that run multi-tenant virtualization workloads.

Technical summary

NVD describes the flaw as a use-after-free in kvm_ioctl_create_device, with weakness mappings including CWE-416 and CWE-264. The vulnerable CPE range in the record covers Linux kernel versions 4.8.0 through before 4.8.13. The referenced upstream fix is associated with commit a0f1d21c1ccb1da66629627a74059dd7f5ac9c61, and the Linux 4.8.13 changelog is listed as the vendor advisory reference.

Defensive priority

High - patch immediately on any affected host running Linux kernel 4.8.0 through 4.8.12, especially virtualization hosts using KVM.

Recommended defensive actions

  • Upgrade affected Linux kernels to 4.8.13 or a vendor backport that includes the upstream fix.
  • Verify whether KVM is enabled and whether /dev/kvm is available on production hosts.
  • Prioritize remediation on hypervisors, cloud hosts, and shared infrastructure where a crash or privilege escalation would have broad impact.
  • Track vendor security advisories and package updates for your distribution rather than relying only on the upstream version number.
  • After patching, confirm the running kernel build includes the fix and that the host has been rebooted into the corrected kernel when required.

Evidence notes

The CVE record published on 2017-02-06 and was later modified on 2026-05-13, but the issue date used here is the original publication date. NVD lists the affected Linux kernel range as 4.8.0 through before 4.8.13 and references the upstream Git commit, the Linux 4.8.13 changelog, an oss-security mailing list post, and a Red Hat Bugzilla entry as supporting material. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H with a critical severity rating.

Official resources

Publicly disclosed with the CVE publication date of 2017-02-06. The NVD record was last modified on 2026-05-13.