CVE-2014-3153
HIGH severity · CVSS 7.8 · actively exploited (CISA KEV)
7.8CVSS HIGH ● exploited
🔴 Actively exploited in the wild (CISA Known Exploited Vulnerabilities).
Added to KEV 2022-05-25. US federal agencies must patch by 2022-06-15.
Summary
The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
Impact & exploitability
Attack vectorLocal
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)75%
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products we track (2)
Recommendation
This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e9c243a5a6de0be8e584c604d353412584b592f8
- http://linux.oracle.com/errata/ELSA-2014-0771.htmlAdvisory
- http://linux.oracle.com/errata/ELSA-2014-3037.htmlAdvisory
- http://linux.oracle.com/errata/ELSA-2014-3038.htmlAdvisory
- http://linux.oracle.com/errata/ELSA-2014-3039.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00014.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00018.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00025.htmlAdvisory