PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5972 Linux CVE debrief

CVE-2017-5972 is a Linux kernel 3.x denial-of-service issue in TCP SYN cookie handling. According to the NVD record, an attacker can send many TCP SYN packets to cause high CPU consumption on affected systems, including a demonstrated impact against CentOS Linux 7's kernel-3.10.0 package. The vulnerable range in the NVD metadata spans Linux kernel versions 3.0.0 through 3.19.8.

Vendor
Linux
Product
CVE-2017-5972
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-14
Original CVE updated
2026-05-13
Advisory published
2017-02-14
Advisory updated
2026-05-13

Who should care

Administrators and security teams running network-exposed Linux kernel 3.x systems, especially servers that must stay available under high connection load or untrusted Internet traffic.

Technical summary

NVD describes a TCP stack flaw where SYN cookie protection is not properly implemented for a fast network connection case. The result is a remotely reachable availability issue: many TCP SYN packets can drive excessive CPU use and degrade or deny service. NVD classifies the issue as CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H with CWE-400 (Uncontrolled Resource Consumption).

Defensive priority

High. This is a network-reachable, unauthenticated denial-of-service issue that can affect availability on vulnerable Linux 3.x systems.

Recommended defensive actions

  • Identify systems running Linux kernel versions in the affected range noted by NVD (3.0.0 through 3.19.8) and prioritize any internet-facing hosts.
  • Apply vendor or distribution kernel updates that address CVE-2017-5972; use the linked vendor advisories and tracking pages to confirm fixed package versions for your distribution.
  • Review and harden edge protections for SYN-flood conditions, such as upstream rate limiting or filtering where appropriate, to reduce CPU pressure on exposed hosts.
  • Monitor vulnerable or high-risk hosts for abnormal TCP SYN volumes, connection-queue pressure, and sustained CPU spikes that may indicate an availability attack.
  • Track remediation against the official CVE/NVD records and distro advisories rather than relying on exploit writeups or third-party summaries.

Evidence notes

The debrief is based on the provided NVD metadata and reference list. The record states the issue affects Linux kernel 3.x, is remotely triggerable via many TCP SYN packets, and can cause CPU-consumption denial of service. NVD lists vulnerable CPE criteria for cpe:2.3:o:linux:linux_kernel:* with versionStartIncluding 3.0.0 and versionEndIncluding 3.19.8. References include the official CVE/NVD records plus vendor and third-party advisories. The note in the CVE description says third parties have been unable to discern any relationship between the GitHub Engineering finding and the Trigemini.c attack code; this debrief does not assume any such relationship. No KEV entry is provided in the supplied timeline.

Official resources

Published by CVE/NVD on 2017-02-14T06:59:00.277Z. The supplied metadata shows the record was last modified on 2026-05-13T00:24:29.033Z. No KEV publication date is provided in the supplied timeline.