PatchSiren cyber security CVE debrief

CVE-2017-6347 Linux CVE debrief

CVE-2017-6347 is a Linux kernel vulnerability in ip_cmsg_recv_checksum that stems from incorrect expectations about skb data layout. On affected kernels, a local user can trigger a buffer over-read through crafted system calls; the described impact includes denial of service and possibly other unspecified effects. The issue was publicly disclosed on 2017-03-01, and Linux 4.10.1 is referenced as the fixed release.

Vendor: Linux
Product: CVE-2017-6347
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-01
Original CVE updated: 2026-05-13
Advisory published: 2017-03-01
Advisory updated: 2026-05-13

Who should care

Linux kernel maintainers, distribution security teams, and operators running affected kernel versions should treat this as relevant. Systems that allow local code execution or untrusted local users have the most exposure, because the vulnerability is triggered from the local context.

Technical summary

According to the NVD record, the flaw is in net/ipv4/ip_sockglue.c, specifically ip_cmsg_recv_checksum. The function made incorrect assumptions about skb layout, which can lead to a buffer over-read. The described trigger involves crafted system calls and use of MSG_MORE with loopback UDP transmission. NVD maps the weakness to CWE-125. Affected version ranges listed by NVD are Linux kernel 4.0 through before 4.4.52, 4.5 through before 4.9.13, and 4.10 through before 4.10.1.

Defensive priority

High. This is a local kernel memory-safety issue with denial-of-service potential and possible broader impact, and it has an identified fix path in upstream Linux references.

Recommended defensive actions

Upgrade to a fixed Linux kernel release at or above 4.10.1, or to the corresponding patched stable kernel in your distribution.
Prioritize patching systems that permit untrusted local accounts, shared workloads, or container hosts where local kernel exposure matters.
Verify whether your deployed kernel falls within the affected ranges listed by NVD: 4.0 to before 4.4.52, 4.5 to before 4.9.13, or 4.10 to before 4.10.1.
Use vendor backport advisories and release notes to confirm the exact patched build for your distribution.
Track Linux kernel security advisories and apply updates promptly for memory-safety issues in networking code.

Evidence notes

Primary facts come from the NVD record and its referenced upstream links. The NVD description identifies ip_cmsg_recv_checksum in net/ipv4/ip_sockglue.c, the local-user trigger, and the denial-of-service/buffer over-read impact. NVD classifies the weakness as CWE-125 and lists affected version ranges. The referenced Linux commit, changelog for 4.10.1, openwall mailing list post, and bug tracker entry provide patch and advisory context.

Official resources

CVE-2017-6347 CVE record
CVE.org
CVE-2017-6347 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch, Release Notes, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory

Publicly disclosed on 2017-03-01. The CVE record was later modified on 2026-05-13, but that is record maintenance metadata and not the vulnerability issue date.