DescriptionThe x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, web search, more)
ReferencesDSA-2501-1, DSA-2508-1
NVD severityhigh (attack range: local)
Debian Bugs677297, 677298, 677299
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kfreebsd-10 (PTS)jessie10.1~svn274115-4fixed
stretch, sid10.1~svn274115-10fixed
kfreebsd-8 (PTS)squeeze8.1+dfsg-8+squeeze4fixed
squeeze (security)8.1+dfsg-8+squeeze3fixed
kfreebsd-9 (PTS)wheezy9.0-10+deb70.7fixed
wheezy (security)9.0-10+deb70.10fixed
xen (PTS)squeeze, squeeze (security)4.0.1-5.11fixed
wheezy (security)4.1.4-3+deb7u9fixed
jessie (security)4.4.1-9+deb8u2fixed
stretch, sid4.6.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


apparently this code is included in freebsd, xen, as well as
microsoft windows, which is also a part of this id assignment (and a
bit strangely the only os currently called out in the mitre description).
also affected the linux kernel, and was fixed 6 years earlier as CVE-2006-0744.

Search for package or bug name: Reporting problems