PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-6346 Linux CVE debrief

CVE-2017-6346 is a Linux kernel race condition in net/packet/af_packet.c tied to PACKET_FANOUT setsockopt calls. According to NVD and the linked kernel references, the flaw can lead to a use-after-free and denial of service, with possible additional unspecified impact. The issue affects multiple Linux kernel branches and is fixed in the 4.9.13 release line referenced by the kernel changelog and patch commit.

Vendor
Linux
Product
CVE-2017-6346
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-01
Original CVE updated
2026-05-13
Advisory published
2017-03-01
Advisory updated
2026-05-13

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that allow untrusted local users to run code on affected kernel versions.

Technical summary

The vulnerability is a concurrency bug in the Linux packet socket fanout path. NVD classifies it as a local issue with high attack complexity and low privileges required. The described trigger is a multithreaded application making PACKET_FANOUT setsockopt system calls, which can race and produce a use-after-free in net/packet/af_packet.c. NVD lists CWE-362 and CWE-416 and maps affected kernel branches up to the 4.9.13 fix point.

Defensive priority

High. Although the attack is local, the bug affects kernel memory safety and can crash the system or potentially have broader impact. Kernel updates or vendor backports should be prioritized wherever untrusted local code can execute.

Recommended defensive actions

  • Upgrade to a kernel version that includes the fix referenced by the Linux 4.9.13 changelog, or apply the vendor backport for your distribution.
  • Confirm whether your distribution has already shipped a security advisory or backport for CVE-2017-6346 before scheduling manual patching.
  • Review affected kernel branches listed by NVD to determine exposure across legacy systems, especially those running older 3.x, 4.1, 4.4, or 4.9-based kernels.
  • Limit untrusted local code execution where practical until patched, since the documented attack requires local access.
  • After patching, verify the fix with vendor release notes or changelog references rather than relying on the upstream CVE entry alone.

Evidence notes

The CVE description states that the race condition in net/packet/af_packet.c before Linux 4.9.13 allows local users to cause a denial of service via a multithreaded application making PACKET_FANOUT setsockopt calls. NVD lists affected kernel version ranges across multiple branches and classifies the issue as CVSS 3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The linked references include the upstream Linux commit, the 4.9.13 changelog, an oss-security post, and Debian advisory DSA-3804. CVE publishedAt is 2017-03-01T20:59:00.410Z; the supplied 2026-05-13 modified date reflects record updates, not the original vulnerability date.

Official resources

CVE published 2017-03-01; NVD record modified 2026-05-13. The fix references point to Linux 4.9.13 and related upstream/vendor advisories.