7.8
CVE-2017-17805
- EPSS 0.11%
- Published 20.12.2017 23:29:00
- Last modified 20.04.2025 01:37:25
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.
Data is provided by the National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 2.6.25 < 3.2.97
Linux ≫ Linux Kernel Version >= 3.3 < 3.16.52
Linux ≫ Linux Kernel Version >= 3.17 < 3.18.89
Linux ≫ Linux Kernel Version >= 3.19 < 4.1.49
Linux ≫ Linux Kernel Version >= 4.2 < 4.4.107
Linux ≫ Linux Kernel Version >= 4.5 < 4.9.71
Linux ≫ Linux Kernel Version >= 4.10 < 4.14.8
Debian ≫ Debian Linux Version8.0
Debian ≫ Debian Linux Version9.0
Opensuse Project ≫ Leap Version42.3
Suse ≫ Linux Enterprise Desktop Version12 Updatesp2
Suse ≫ Linux Enterprise Desktop Version12 Updatesp3
Suse ≫ Linux Enterprise Server Version11 Updateextra
Suse ≫ Linux Enterprise Server Version11 Updatesp4
Suse ≫ Linux Enterprise Server Version12 Updatesp2
Suse ≫ Linux Enterprise Server Version12 Updatesp3
Suse ≫ Linux Enterprise Server For Raspberry Pi Version12 Updatesp2
Canonical ≫ Ubuntu Linux Version12.04 SwEdition-
Canonical ≫ Ubuntu Linux Version14.04 SwEditionesm
Canonical ≫ Ubuntu Linux Version16.04 SwEditionesm
Canonical ≫ Ubuntu Linux Version17.10
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.11% | 0.298 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.2 | 3.9 | 10 |
AV:L/AC:L/Au:N/C:C/I:C/A:C
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.