Descriptioniproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. NOTE: security relevance may be limited to certain uses of setuid that, although not a default, are sometimes a configuration option offered to end users. Even when setuid is used, other factors (such as C library configuration) may block exploitability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
iproute2 (PTS)buster4.20.0-2+deb10u1vulnerable
bookworm, sid5.19.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
iproute2sourcejessie(not affected)
iproute2sourcestretch(not affected)


[buster] - iproute2 <no-dsa> (Minor issue)
[stretch] - iproute2 <not-affected> (Vulnerable code introduced later)
[jessie] - iproute2 <not-affected> (Vulnerable code introduced later)
Fixed by: (v5.1.0)
Introduced in: (v4.15.0)

Search for package or bug name: Reporting problems