PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5577 Linux CVE debrief

CVE-2017-5577 is a Linux kernel vulnerability in the VideoCore DRM (vc4) driver that can let a local attacker cause a denial of service. The issue is tied to error handling in vc4_get_bcl(): when certain overflow conditions are detected, the function does not set errno as expected, which can lead to an incorrect pointer dereference and kernel OOPS during a VC4_SUBMIT_CL ioctl path. The NVD record rates this as medium severity with availability impact only, and the affected kernel range is before 4.9.7.

Vendor
Linux
Product
CVE-2017-5577
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-06
Original CVE updated
2026-05-13
Advisory published
2017-02-06
Advisory updated
2026-05-13

Who should care

Kernel and distro maintainers, system administrators running Linux systems with the vc4 DRM driver enabled, and anyone exposing affected kernels to untrusted local users or containers. Systems where local privilege boundaries matter most should prioritize review, because the impact is a kernel crash rather than data theft or remote compromise.

Technical summary

The vulnerability is in drivers/gpu/drm/vc4/vc4_gem.c, specifically vc4_get_bcl(). According to the supplied CVE description, overflow detection in this path did not properly set an errno value. That error-handling gap can leave later logic operating on inconsistent size values provided through a VC4_SUBMIT_CL ioctl call, ultimately causing an incorrect pointer dereference and kernel OOPS. NVD maps the weakness to CWE-388 and lists the impact as local, low-privilege, no-user-interaction, with high availability impact.

Defensive priority

Moderate. This is not a remote code execution issue, but it can crash the kernel and disrupt affected hosts. It should be prioritized on systems that actually use the vc4 driver, especially where local users or untrusted workloads can reach the ioctl interface.

Recommended defensive actions

  • Update to Linux kernel 4.9.7 or later, or apply the upstream patch referenced in the kernel commit and related mailing list discussion.
  • Confirm whether the vc4 DRM driver is present and in use on deployed systems; if not needed, reduce exposure by avoiding unnecessary access to the affected graphics stack.
  • Apply vendor backports from the distribution security advisory or kernel changelog corresponding to this fix.
  • Review container, multi-user, and desktop environments where local users may be able to exercise the vulnerable ioctl path.
  • Use standard kernel update and reboot procedures, then verify the running kernel version is within the fixed range.

Evidence notes

This debrief is based only on the supplied CVE record and official references. The CVE description states that vc4_get_bcl in Linux kernel drivers/gpu/drm/vc4/vc4_gem.c did not set errno on certain overflow detections, allowing a local denial of service via inconsistent size values in VC4_SUBMIT_CL ioctl calls. The NVD data lists affected versions through Linux 4.9.6 and a CVSS v3.0 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The reference set includes the upstream kernel commit 6b8ac63847bc2f958dd93c09edc941a0118992d9, Linux 4.9.7 changelog, and associated mailing list discussion. CVE published date used here is 2017-02-06; the NVD record was last modified on 2026-05-13.

Official resources

Publicly disclosed on 2017-02-06. The supplied record indicates the issue was fixed upstream before or by Linux 4.9.7, with patch and mailing list references dated in January 2017. NVD metadata for the record was last modified on 2026-05-13