{"id":78989,"date":"2017-10-02T07:00:08","date_gmt":"2017-10-02T14:00:08","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=78989"},"modified":"2025-06-02T18:49:46","modified_gmt":"2025-06-03T01:49:46","slug":"linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/","title":{"rendered":"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112"},"content":{"rendered":"<p><em>This blog was written by Krishs Patil.<\/em><\/p>\n<p>A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation. In this post we will examine this vulnerability and its accompanying <a href=\"https:\/\/github.com\/xairy\/kernel-exploits\/blob\/master\/CVE-2017-1000112\/poc.c\" target=\"_blank\" rel=\"noopener\">exploit.<\/a> Although this bug affects both IPv4 and IPv6 code paths, we analyzed only IPv4 code running on vulnerable kernel version 4.8.0 of Ubuntu xenial. The bug was fixed in Commit <a href=\"https:\/\/github.com\/torvalds\/linux\/commit\/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa\" target=\"_blank\" rel=\"noopener\">85f1bd9<\/a>.<\/p>\n<p>Andrey Konovalov recently disclosed local privilege escalation exploits for vulnerabilities he found inside the Linux network subsystem while \u201cfuzzing\u201d with the tool syzcaller. In an <a href=\"http:\/\/seclists.org\/oss-sec\/2017\/q3\/277\" target=\"_blank\" rel=\"noopener\">oss-sec mailing thread,<\/a> Konovalov wrote \u201cWhen building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption.\u201d<\/p>\n<h2><strong>NIC Offloads and UFOs \u00a0<\/strong><\/h2>\n<p>Network interface card (NIC) offload allows the protocol stack to transmit packets that are larger than the Ethernet maximum transmission unit (MTU), which by default is 1,500 bytes. When NIC offload is enabled, the kernel will assemble multiple packets into a single large packet and pass it to the hardware, which handles IP fragmentation and segmentation into MTU-sized packets. This offload is often used with high-speed network interfaces for increased throughput because UFO can send large UDP packets.<\/p>\n<p>The Linux kernel can take advantage of the <a href=\"https:\/\/www.kernel.org\/doc\/Documentation\/networking\/segmentation-offloads.txt\" target=\"_blank\" rel=\"noopener\">segmentation-offload capabilities<\/a> of various NICs.<\/p>\n<h2><strong>Triggering a POC<\/strong><\/h2>\n<p>The following is a simple <a href=\"https:\/\/github.com\/xairy\/kernel-exploits\/blob\/master\/CVE-2017-1000112\/poc.c\" target=\"_blank\" rel=\"noopener\">proof of concept<\/a> that will trigger kernel panic:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-79516\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png\" alt=\"\" width=\"789\" height=\"400\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png 789w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1-300x152.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1-768x389.png 768w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/p>\n<p>To build UFO packets inside the kernel we can take one of two steps:<\/p>\n<ul>\n<li>Use the UDP_CORK socket option, which tells the kernel to accumulate all data on this socket into a single diagram to be transmitted when the option is disabled.<\/li>\n<li>Use the MSG_MORE flag when calling send\/sendto\/sendmsg, which tells the kernel to accumulate all data on this socket into single diagram to be transmitted when a call is performed that does not specify this flag. This method triggers the vulnerability.<\/li>\n<\/ul>\n<p>Inside the kernel, the udp_sendmsg function is responsible for constructing UDP packets and sending them to the next layer. The following code shows a stripped implementation of UDP cork functionality enabled by the user program using the UDP_CORK socket option or the MSG_MORE flag when calling send\/sendto\/sendmsg. When UDP corking is enabled, the ip_append_data function is called to accumulate multiple packets into single large packet.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-78994 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-2.png\" alt=\"\" width=\"766\" height=\"333\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-2.png 766w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-2-300x130.png 300w\" sizes=\"auto, (max-width: 766px) 100vw, 766px\" \/><\/a><\/p>\n<p>The function ip_append_data is a wrapper around __ip_append_data, which is responsible for socket buffer management by allocating a new socket buffer to store the data passed to it or by appending the data to existing data when the socket is corked. One important task performed by this function is the handling of UFO. Socket buffers are managed in the socket\u2019s send queue. In the case of corked sockets, the queue has an entry in which additional data can be appended. The data sits on the send queue until udp_sendmsg determines it is time to call udp_push_pending_frames, which finalizes the socket buffer and calls udp_send_skb.<\/p>\n<p>The Linux kernel stores packets in the structure sk_buff (socket buffer), which is used by all network layers to store their headers, information about user data (payload), and other internal information.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-78998 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-3.png\" alt=\"\" width=\"738\" height=\"533\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-3.png 738w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-3-300x217.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-3-692x500.png 692w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/a><\/p>\n<p><em>The socket buffer inside the kernel.<\/em><\/p>\n<p>In the preceding diagram, the head, data, tail, and end members of sk_buff point to the boundaries of the memory region in which protocol headers and the user payload is stored. The head and end point to the beginning and end of space allocated to the buffer. Data and tail point to the beginning and end of user data within the entire space. Immediately following the end boundary, the structure skb_shared_info holds important information for IP fragmentation.<\/p>\n<h2><strong>Memory Corruption<\/strong><\/h2>\n<p>When the first call to \u201csend\u201d is made with the MSG_MORE flag, as shown in the earlier POC, __ip_append_data takes creates a new socket buffer by calling ip_ufo_append_data, as we see in the following code:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-78999 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-4.png\" alt=\"\" width=\"711\" height=\"413\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-4.png 711w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-4-300x174.png 300w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/a><\/p>\n<p>When this call is finished, and the new socket buffer is created, user data is copied to the fragment and the shared info structure is updated with fragment information, as shown in the next image. The newly created sk_buff is then placed in the queue.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-79000 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-5.png\" alt=\"\" width=\"755\" height=\"181\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-5.png 755w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-5-300x72.png 300w\" sizes=\"auto, (max-width: 755px) 100vw, 755px\" \/><\/a><\/p>\n<p>In the next step, the PoC updates the socket to not calculate a checksum on the UDP by setting the option SO_NO_CHECK ; this overrides the sk-&gt;sk_no_check_tx member of the socket structure. Inside __ip_append_data this variable is checked as one of the conditions prior to calling ip_ufo_append_data.<\/p>\n<p>During the POC\u2019s second call to \u201csend,\u201d a non-UFO path is taken inside __ip_append_data, which proceeds to a fragment length calculation loop. During the first iteration of the loop, the value of copy becomes negative, which triggers a new socket buffer allocation. Plus the fraggap calculation exceeds the MTU and triggers fragmentation. This leads to copying the user payload from sk_buff, created by the first send call, to the newly allocated sk_buff using the skb_copy_and_csum_bits function. This copies a specified number of bytes from the source buffer to the destination sk_buff and computes a checksum. Calling skb_copy_and_csum_bits with a length greater than the newly created sk_buff boundary end limit overwrites the data beyond the socket buffer and corrupts the skb_shared_info structure that is immediately preceded by sk_buff.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-79001 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-6.png\" alt=\"\" width=\"829\" height=\"652\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-6.png 829w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-6-300x236.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-6-768x604.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-6-636x500.png 636w\" sizes=\"auto, (max-width: 829px) 100vw, 829px\" \/><\/a><\/p>\n<p>The corrupted skb_shared_info structure follows. The memory at address 0xffff88003a4ca900 is the newly created sk_buff with end=1728, where the fragmentation is triggered.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-79002 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-7.png\" alt=\"\" width=\"691\" height=\"392\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-7.png 691w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170922-Linux-UFO-7-300x170.png 300w\" sizes=\"auto, (max-width: 691px) 100vw, 691px\" \/><\/a><\/p>\n<h2><strong>Exploitation<\/strong><\/h2>\n<p>This bug can be exploited by an unprivileged user when unprivileged user namespaces are allowed on most default Ubuntu desktop systems. Users should be able to do two things:<\/p>\n<ul>\n<li>Set up an interface with UFO enabled (possible from the user namespace) or use that interface if it is already present. (The \u201clo\u201d interface enables UFO by default.)<\/li>\n<li>Disable the NETIF_F_UFO interface feature or set the SO_NO_CHECK socket option.<\/li>\n<\/ul>\n<p>Code execution can be diverted to user-mode shellcode by simply crafting a fake skb_shared_info structure at the end of a large buffer and setting the callback member to shellcode. The second \u201csend\u201d triggers an out-of-bounds condition on the socket buffer, overwriting skb_shared_info-&gt;destructor_arg with the user-mode shellcode address, which is invoked before sk_buff is released from kernel memory.<\/p>\n<p>The Linux kernel offers a big attack surface when exposed to unprivileged users. All users should keep their systems patched with the latest updates.<\/p>\n<p>Stay up to date on this vulnerability and more by following <a href=\"https:\/\/twitter.com\/mcafee_labs\" target=\"_blank\" rel=\"noopener\">@McAfee_Labs<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog was written by Krishs Patil. A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[4452,18,4827],"coauthors":[4136],"class_list":["post-78989","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-cybersecurity","tag-network-security","tag-vulnerability"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112<\/title>\n<meta name=\"description\" content=\"A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112\" \/>\n<meta property=\"og:description\" content=\"A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-10-02T14:00:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T01:49:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"789\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112\",\"datePublished\":\"2017-10-02T14:00:08+00:00\",\"dateModified\":\"2025-06-03T01:49:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/\"},\"wordCount\":1147,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png\",\"keywords\":[\"cybersecurity\",\"network security\",\"vulnerability\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/\",\"name\":\"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png\",\"datePublished\":\"2017-10-02T14:00:08+00:00\",\"dateModified\":\"2025-06-03T01:49:46+00:00\",\"description\":\"A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112","description":"A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112","og_description":"A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-10-02T14:00:08+00:00","article_modified_time":"2025-06-03T01:49:46+00:00","og_image":[{"width":789,"height":400,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112","datePublished":"2017-10-02T14:00:08+00:00","dateModified":"2025-06-03T01:49:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/"},"wordCount":1147,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png","keywords":["cybersecurity","network security","vulnerability"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/","name":"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png","datePublished":"2017-10-02T14:00:08+00:00","dateModified":"2025-06-03T01:49:46+00:00","description":"A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/10\/20170922-Linux-UFO-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/78989","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=78989"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/78989\/revisions"}],"predecessor-version":[{"id":214917,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/78989\/revisions\/214917"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=78989"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=78989"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=78989"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=78989"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}