#VU100004 Missing release of memory after effective lifetime in Linux kernel - CVE-2002-0046

Cybersecurity Help s.r.o.

Published: 2002-01-31 | Updated: 2017-10-10

Vulnerability identifier: #VU100004

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2002-0046

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Linux kernel, and possibly other operating systems, allows remote attackers to read portions of memory via a series of fragmented ICMP packets that generate an ICMP TTL Exceeded response, which includes portions of the memory in the response packet.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

External links
https://www.osvdb.org/5394
https://www.redhat.com/support/errata/RHSA-2002-007.html
https://www.securityfocus.com/archive/1/251418
https://exchange.xforce.ibmcloud.com/vulnerabilities/7998

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Missing release of memory after effective lifetime in Linux kernel