PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8636 Linux CVE debrief

CVE-2016-8636 affects the Linux kernel’s Soft RoCE (rxe) RDMA path. An integer overflow in mem_check_range() can let a local user trigger unsafe read or write handling, resulting in memory corruption, possible kernel-memory disclosure, or other undefined impact on kernels before 4.9.10.

Vendor
Linux
Product
CVE-2016-8636
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-22
Original CVE updated
2026-05-13
Advisory published
2017-02-22
Advisory updated
2026-05-13

Who should care

Linux kernel maintainers, distribution security teams, and administrators running systems with Soft RoCE/RDMA enabled should pay attention, especially on multi-user hosts where untrusted local users may be able to reach the affected code path.

Technical summary

NVD describes an integer overflow in drivers/infiniband/sw/rxe/rxe_mr.c’s mem_check_range() function. The affected configuration is the Linux kernel from 4.8 up to but not including 4.9.10. The bug is reachable through RDMA read/write requests in the Soft RoCE implementation, and NVD rates the issue as locally exploitable with high confidentiality, integrity, and availability impact (CVSS 3.1: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H; CWE-190).

Defensive priority

High for any environment running a vulnerable kernel with Soft RoCE enabled, because the flaw is local but impacts kernel memory safety and can affect confidentiality, integrity, and availability.

Recommended defensive actions

  • Upgrade Linux kernel systems to 4.9.10 or a vendor release that includes the backport of the upstream fix.
  • Verify whether Soft RoCE (rxe) / RDMA over InfiniBand is enabled on your hosts; prioritize remediation on systems that expose this feature to untrusted local users.
  • Apply distribution security advisories and backported patches referenced by your vendor, and confirm the fix is present in your deployed kernel build.
  • Treat multi-user servers, shared lab systems, and any environment with local shell access as higher priority for patching and validation.
  • After patching, confirm kernel version and vendor changelog references match the fixed release line rather than relying on package names alone.

Evidence notes

The CVE record and NVD entry both identify the issue as a Linux kernel integer overflow in the Soft RoCE rxe path, with vulnerable versions from 4.8 through before 4.9.10. NVD lists the impact as local and severe (CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps it to CWE-190. The reference set includes the upstream kernel commit, the Linux 4.9.10 changelog, and an oss-security mailing list post dated 2017-02-11, which together support the fix and public disclosure timeline. NVD publication date: 2017-02-22; NVD last modified date: 2026-05-13.

Official resources

Public discussion is referenced by an oss-security mailing list post dated 2017-02-11, while the CVE was published by NVD on 2017-02-22. NVD’s latest listed modification date is 2026-05-13; that is a record update date, not the issue date.