PatchSiren cyber security CVE debrief

CVE-2017-5967 Linux CVE debrief

CVE-2017-5967 is a local information disclosure flaw in the Linux kernel time subsystem. On affected systems with CONFIG_TIMER_STATS enabled, a user can read /proc/timer_list and learn real PID values, including values that are distinguishable from PID namespace values. NVD lists affected Linux kernel versions through 4.9.9 and rates the issue as medium severity with low confidentiality impact and no integrity or availability impact.

Vendor: Linux
Product: CVE-2017-5967
CVSS: MEDIUM 4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-14
Original CVE updated: 2026-05-13
Advisory published: 2017-02-14
Advisory updated: 2026-05-13

Who should care

Linux kernel maintainers, distro security teams, container/platform operators, and administrators running kernels that may have CONFIG_TIMER_STATS enabled—especially systems where PID namespace isolation is relied on for tenant separation or observability hardening.

Technical summary

According to the CVE description, the issue is in the kernel time subsystem, specifically related to print_timer in kernel/time/timer_list.c and __timer_stats_timer_set_start_info in kernel/time/timer.c. When CONFIG_TIMER_STATS is enabled, reading /proc/timer_list can reveal real PID values rather than only namespace-scoped PID values. The NVD record maps the affected CPE to Linux kernel versions through 4.9.9 and assigns CVSS 3.0 vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Defensive priority

Moderate. This is not a code-execution or denial-of-service issue, but it weakens process-identity confidentiality on affected kernels and may undermine assumptions made by isolation or monitoring tooling.

Recommended defensive actions

Check whether any deployed Linux kernels are at or below version 4.9.9 and whether CONFIG_TIMER_STATS is enabled in those builds.
Review whether /proc/timer_list is accessible in your environment and restrict exposure where operationally feasible.
Prioritize kernel updates or vendor backports that include the referenced kernel fix commit.
Validate container and namespace isolation assumptions in workloads that depend on PID anonymization or namespace separation.
Use distribution advisories and kernel issue tracking to confirm whether your vendor build carries the patch, since backported fixes may not align with upstream version numbers exactly.

Evidence notes

The CVE description states that the Linux kernel time subsystem through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values by reading /proc/timer_list. NVD lists the affected CPE as Linux kernel versions up to and including 4.9.9 and gives CVSS 3.0 AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The supplied references include an upstream kernel commit URL, a Bugzilla issue, and a SecurityFocus entry, which together support the fix and tracking trail without adding exploit detail.

Official resources

CVE-2017-5967 CVE record
CVE.org
CVE-2017-5967 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking

CVE published 2017-02-14 06:59:00 UTC. The supplied NVD record was later modified on 2026-05-13 00:24:29 UTC. This debrief uses the CVE publication date for timing context and does not treat the later modification date as the issue date.