PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5549 Linux CVE debrief

CVE-2017-5549 is a local information-disclosure issue in the Linux kernel’s USB serial kl5kusb105 driver. When line-status reads fail, the affected function can place uninitialized heap-memory contents into a log entry, which may let a local user recover sensitive data by reading kernel logs. The vulnerable range is listed as Linux kernel 4.9.4 and earlier, with the fix associated with Linux 4.9.5.

Vendor
Linux
Product
CVE-2017-5549
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-06
Original CVE updated
2026-05-13
Advisory published
2017-02-06
Advisory updated
2026-05-13

Who should care

Kernel and distro maintainers, system administrators, and security teams responsible for Linux systems running kernel 4.9.4 or earlier, especially where kernel logs are readable by untrusted local users. This also matters for environments that ship or backport the kl5kusb105 USB serial driver.

Technical summary

NVD identifies the flaw in drivers/usb/serial/kl5kusb105.c, specifically klsi_105_get_line_state. On a failure to read line status, the function can expose uninitialized heap contents in a log entry. The impact is confidentiality-only (CWE-532), with a local attack vector and no integrity or availability impact in the published CVSS vector.

Defensive priority

Medium. The issue is local and confidentiality-focused, but it can expose sensitive kernel memory through logs. Patch or backport the upstream fix as part of normal kernel maintenance, and prioritize multi-user hosts or systems where local users can access kernel logs.

Recommended defensive actions

  • Upgrade to Linux kernel 4.9.5 or a vendor build that backports the upstream fix referenced for CVE-2017-5549.
  • Confirm all supported systems are outside the affected range (Linux kernel 4.9.4 and earlier).
  • Review which users can read kernel logs and reduce log access where possible.
  • Check whether the kl5kusb105 USB serial driver is needed in your environment and remove unused modules or packages.
  • Track distro-specific advisories and backports, including Debian DSA-3791 and Ubuntu USN-3754-1, for remediation guidance.

Evidence notes

The NVD description states that klsi_105_get_line_state in drivers/usb/serial/kl5kusb105.c can place uninitialized heap-memory contents into a log entry when reading the line status fails, allowing local users to obtain sensitive information by reading the log. NVD lists the affected CPE as Linux kernel versions through 4.9.4 and assigns CVSS v3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N with CWE-532. The supplied references include the upstream Linux commit 146cc8a17a3b4996f6805ee5c080e7101277c410, the Linux 4.9.5 changelog, and related vendor/advisory links.

Official resources

Publicly disclosed in the CVE record on 2017-02-06. The supplied references also point to an oss-security thread dated 2017-01-21 and to the Linux 4.9.5 fix/release materials. NVD metadata was later modified on 2026-05-13.