CVE-2017-6345 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems running Linux kernel 4.9.12 or earlier should prioritize this issue, especially on multi-user systems where untrusted local accounts or workloads can reach the kernel attack surface.

Technical summary

NVD classifies the issue as CWE-20 and rates it CVSS 3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerable condition is in the LLC subsystem, where the kernel does not ensure that a required destructor exists in certain circumstances. The supplied references point to a fix in commit 8b74d439e1697110c5e5c600643e823eb1dd0762 and the 4.9.13 changelog. The described result is a local BUG_ON-triggered denial of service, with additional impact left unspecified in the record.

Defensive priority

High

Recommended defensive actions

• Upgrade Linux kernels to 4.9.13 or later, or use a vendor build that includes the backported fix.
• Confirm whether any deployed systems run kernel versions at or below 4.9.12.
• Apply the vendor or distribution security update referenced by your platform, such as the kernel fix or downstream advisory.
• Treat the issue as locally reachable and restrict unnecessary local access where practical until patched.
• Validate patched builds by confirming the kernel release notes or changelog include the 4.9.13 fix reference.

Evidence notes

The supplied NVD record lists Linux kernel versions through 4.9.12 as vulnerable and cites CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H with CWE-20. MITRE/NVD references include the Linux kernel commit 8b74d439e1697110c5e5c600643e823eb1dd0762, the Linux 4.9.13 changelog, and the oss-security mailing list post dated 2017-02-28, all consistent with a fix released around the CVE publication date of 2017-03-01.

Official resources