Linux kernel: CVE-2017-6074: DCCP double-free vulnerability
Discovered by xairy on Internet

This issue took 5 Days and 21 hours to triage and 475 Days and 0 hours to close the report once triaged.


CVE-2017-6074 [1] is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain kernel code execution from an unprivileged processes. The kernel needs to be built with CONFIG_IP_DCCP for the vulnerability to be present. A lot of modern distributions enable this option by default.

Fixed on Feb 17, 2017 [2]. The oldest version that I checked is 2.6.18 (Sep 2006), which is vulnerable. However, the bug was introduced before that, probably in the first release with DCCP support (2.6.14, Oct 2005).

I initially reported this vulnerability to [email protected] following the coordinated disclosure process. The timeline and more details about the vulnerability can be found in my announcement on oss-security [3]. A proof-of-concept exploit for the 4.4.0-62-generic #83-Ubuntu kernel can be found here [4, 5].

The reason I'm reporting this now is that I just saw a similar bug [6] in the Windows kernel reported to this program and that reminded me of a Sandbox Escape program that used to be on HackerOne. I thought it makes sense to see if IBB would come back to considering this kind of bugs eligible for a bounty.









This vulnerability allows a local attacker to elevate privileges to root on a machine with vulnerable Linux kernel version.