CVE-2017-5551 Linux CVE debrief

Who should care

Linux administrators, distro maintainers, and security teams responsible for multi-user systems that run affected kernel versions, especially where tmpfs is used and local users can interact with ACL/xattr workflows or setgid programs.

Technical summary

NVD describes the issue as a Linux kernel vulnerability with CVSS 3.0 vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The affected CPE range is Linux kernel versions up to and including 4.9.5. The bug occurs in simple_set_acl, where a setxattr operation on tmpfs can preserve the setgid bit rather than clearing it as intended. The vulnerability is explicitly described as resulting from an incomplete fix for CVE-2016-7097.

Defensive priority

Medium. The vulnerability requires local access and is not rated for availability impact, but it can still affect privilege boundaries on multi-user Linux systems and should be patched promptly on exposed hosts.

Recommended defensive actions

• Update to Linux kernel 4.9.6 or a vendor build that backports the fix.
• Verify your distribution’s security advisory or kernel changelog to confirm the patch is included.
• Prioritize remediation on multi-user systems where untrusted local accounts exist.
• Review systems that rely on tmpfs, ACLs, or setgid workflows for exposure to this class of issue.
• If immediate patching is not possible, reduce unnecessary local user access until the fixed kernel is deployed.

Evidence notes

The supplied NVD record lists Linux kernel versions through 4.9.5 as vulnerable and cites the upstream kernel commit and the Linux 4.9.6 changelog as remediation references. The description states the flaw preserves the setgid bit during setxattr on tmpfs and identifies it as an incomplete fix for CVE-2016-7097. NVD also classifies the weakness as NVD-CWE-noinfo, so no more specific CWE should be inferred beyond the source record.

Official resources