CVE-2008-2826

Publication date 2 July 2008

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Integer overflow in the sctp_getsockopt_local_addrs_old function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) functionality in the Linux kernel before 2.6.25.9 allows local users to cause a denial of service (resource consumption and system outage) via vectors involving a large addr_num field in an sctp_getaddrs_old data structure.

From the Ubuntu Security Team

Gabriel Campana discovered that SCTP routines did not correctly check for large addresses. A local user could exploit this to allocate all available memory, leading to a denial of service.

Read the notes from the security team

Status

Package Ubuntu Release Status
linux 8.04 LTS hardy
Fixed 2.6.24-19.36
7.10 gutsy Not in release
7.04 feisty Not in release
6.06 LTS dapper Not in release
linux-source-2.6.15 8.04 LTS hardy Not in release
7.10 gutsy Not in release
7.04 feisty Not in release
6.06 LTS dapper
Fixed 2.6.15-52.69
linux-source-2.6.20 8.04 LTS hardy Not in release
7.10 gutsy Not in release
7.04 feisty
Fixed 2.6.20-17.37
6.06 LTS dapper Not in release
linux-source-2.6.22 8.04 LTS hardy Not in release
7.10 gutsy
Fixed 2.6.22-15.56
7.04 feisty Not in release
6.06 LTS dapper Not in release

Notes

kees

linux-2.6: 735ce972fbc8a65fb17788debd7bbe7b4383cc62 was reported at one point as CVE-2008-2372

References

Related Ubuntu Security Notices (USN)

    • USN-625-1
    • Linux kernel vulnerabilities
    • 15 July 2008

Other references