PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5550 Linux CVE debrief

CVE-2017-5550 is a Linux kernel information-disclosure issue in pipe_advance that can expose uninitialized heap memory to a local user in limited, opportunistic circumstances. NVD lists affected kernels through 4.9.4 and notes the issue is fixed in Linux 4.9.5. The impact is confidentiality-only and requires local access, so the main concern is unintended data exposure on multi-user systems.

Vendor
Linux
Product
CVE-2017-5550
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-06
Original CVE updated
2026-05-13
Advisory published
2017-02-06
Advisory updated
2026-05-13

Who should care

Linux kernel maintainers, distro security teams, and administrators of multi-user Linux systems running kernels older than 4.9.5. It matters most where untrusted or low-privilege local users can obtain shell access or run workloads on the same host.

Technical summary

The NVD description states there is an off-by-one error in pipe_advance in lib/iov_iter.c. Under the wrong buffer-release decision, reading from a pipe can return data from uninitialized heap-memory locations, allowing sensitive information disclosure to a local attacker. The CVSS vector provided by NVD is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, and the mapped weakness is CWE-200.

Defensive priority

Medium priority. Patch affected systems promptly, especially shared or multi-user Linux hosts, but this issue is lower urgency than remote code execution because it requires local privileges and affects confidentiality rather than integrity or availability.

Recommended defensive actions

  • Upgrade the Linux kernel to 4.9.5 or a vendor build that includes the fix.
  • Confirm whether your distribution has backported the fix to supported kernel packages, not just whether the version string is newer.
  • Prioritize remediation on servers, shared hosts, and systems where local users or workloads are not fully trusted.
  • Review local-access controls and reduce unnecessary shell or account access on affected systems.
  • Use the upstream commit and vendor release notes to verify that the patch is present in your deployed kernel build.
  • Update vulnerability inventories to mark kernels at or below 4.9.4 as affected unless the vendor explicitly documents a backport.

Evidence notes

This debrief is based on the supplied NVD record and linked official/vendor references only. The source record describes an off-by-one error in pipe_advance, a local information-disclosure impact, and affected versions through 4.9.4. NVD also supplies the CVSS 3.0 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N and CWE-200. Linked references include the upstream kernel commit, Linux 4.9.5 changelog, oss-security patch discussion, and Red Hat bug tracker entry.

Official resources

CVE published on 2017-02-06T06:59:00.667Z and modified on 2026-05-13T00:24:29.033Z. Public references in the supplied corpus include a January 21, 2017 oss-security patch discussion and Linux 4.9.5 release notes.