PatchSiren cyber security CVE debrief

CVE-2017-6353 Linux CVE debrief

CVE-2017-6353 is a local denial-of-service issue in the Linux kernel's SCTP socket handling. A multithreaded application could trigger association peel-off operations during certain wait states, leading to an invalid unlock and double free. The issue is notable because the CVE description says it exists due to an incorrect fix for CVE-2017-5986.

Vendor: Linux
Product: CVE-2017-6353
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-01
Original CVE updated: 2026-05-13
Advisory published: 2017-03-01
Advisory updated: 2026-05-13

Who should care

Organizations running affected Linux kernels, especially systems that allow local code execution or host untrusted user workloads. Kernel maintainers, distro security teams, and operators of multi-user servers and containers should prioritize validation and patching.

Technical summary

The vulnerability is in net/sctp/socket.c. Under certain wait states, association peel-off operations were not sufficiently restricted, which could produce an invalid unlock followed by a double free. NVD classifies the weakness as CWE-415 and rates impact as availability-only with local attack prerequisites (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The description states affected kernels are through 4.10.1, while the NVD CPE range marks Linux kernel versions through 4.10 as vulnerable.

Defensive priority

Medium. The issue requires local access and is not reported as remote code execution, but it can crash the kernel or disrupt service on affected hosts.

Recommended defensive actions

Apply the Linux kernel fix referenced by the linked upstream commit and vendor advisories.
Update affected distributions or kernel packages to versions that include the SCTP peel-off restriction fix.
Review hosts that run multi-user workloads, containers, or untrusted local code for exposure to local kernel-triggering bugs.
Use distro security advisories and upstream commit references to confirm whether your exact kernel build includes the fix.
If immediate patching is not possible, reduce exposure to untrusted local workloads on affected systems until updates are applied.

Evidence notes

The CVE description explicitly states that net/sctp/socket.c in Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, enabling local denial of service via invalid unlock and double free. NVD lists CWE-415 and the CVSS vector CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. References include an upstream Linux kernel commit, an Openwall mailing list post, and Debian security advisory DSA-3804. The narrative description says the flaw is due to an incorrect fix for CVE-2017-5986. NVD's CPE range marks Linux kernel through 4.10, which is slightly different from the textual description's through 4.10.1.

Official resources

CVE-2017-6353 CVE record
CVE.org
CVE-2017-6353 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory

CVE-2017-6353 was published on 2017-03-01 and the NVD record was last modified on 2026-05-13. The official record and linked advisories point to an upstream Linux kernel fix and distro guidance for remediation.