Vulnerability Details CVE-2006-2274
Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial of service (infinite recursion and crash) via a packet that contains two or more DATA fragments, which causes an skb pointer to refer back to itself when the full message is reassembled, leading to infinite recursion in the sctp_skb_pull function.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.093
EPSS Ranking 92.4%
CVSS Severity
CVSS v2 Score 5.0
References
- http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=672e7cca17ed6036a1756ed34cf20dbd72d5e5f6
- http://secunia.com/advisories/20237
- http://secunia.com/advisories/20398
- http://secunia.com/advisories/20671
- http://secunia.com/advisories/20716
- http://secunia.com/advisories/20914
- http://secunia.com/advisories/21045
- http://secunia.com/advisories/21476
- http://secunia.com/advisories/21745
- http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm
- http://www.debian.org/security/2006/dsa-1097
- http://www.debian.org/security/2006/dsa-1103
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:123
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:150
- http://www.novell.com/linux/security/advisories/2006-05-31.html
- http://www.osvdb.org/25746
- http://www.redhat.com/support/errata/RHSA-2006-0493.html
- http://www.securityfocus.com/bid/17955
- http://www.trustix.org/errata/2006/0026
- http://www.ubuntu.com/usn/usn-302-1
- http://www.vupen.com/english/advisories/2006/2554
- https://exchange.xforce.ibmcloud.com/vulnerabilities/26432
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9531
- http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=672e7cca17ed6036a1756ed34cf20dbd72d5e5f6
- http://secunia.com/advisories/20237
- http://secunia.com/advisories/20398
- http://secunia.com/advisories/20671
- http://secunia.com/advisories/20716
- http://secunia.com/advisories/20914
- http://secunia.com/advisories/21045
- http://secunia.com/advisories/21476
- http://secunia.com/advisories/21745
- http://support.avaya.com/elmodocs2/security/ASA-2006-161.htm
- http://www.debian.org/security/2006/dsa-1097
- http://www.debian.org/security/2006/dsa-1103
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:123
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:150
- http://www.novell.com/linux/security/advisories/2006-05-31.html
- http://www.osvdb.org/25746
- http://www.redhat.com/support/errata/RHSA-2006-0493.html
- http://www.securityfocus.com/bid/17955
- http://www.trustix.org/errata/2006/0026
- http://www.ubuntu.com/usn/usn-302-1
- http://www.vupen.com/english/advisories/2006/2554
- https://exchange.xforce.ibmcloud.com/vulnerabilities/26432
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9531
Products affected by CVE-2006-2274
-
cpe:2.3:a:lksctp:stream_control_transmission_protocol:2.6.17