CVE-2017-8797

Name: CVE-2017-8797
Creator: NVD / NIST
Published: 2017-07-02T17:29:00.177+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 8.67%

Last modified Jun 17, 2026

CVE-2017-8797 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This type value is uninitialized upon encountering certain error conditions. EPSS estimates a 8.67% chance of exploitation in the next 30 days.

Description

The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This type value is uninitialized upon encountering certain error conditions. This value is used as an array index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

8.67%

94.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-129

Affected Software

Vendor	Product	Versions
Linux	Linux Kernel	>= 4.0, < 4.1.40
Linux	Linux Kernel	>= 4.2, < 4.4.70
Linux	Linux Kernel	>= 4.5, < 4.9.30
Linux	Linux Kernel	>= 4.11, < 4.11.3

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b550a32e60a4941994b437a8d662432a486235a5Patch, Vendor Advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f961e3f2acae94b727380c0b74e2d3954d0edf79Patch, Vendor Advisory
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.3Release Notes, Vendor Advisory
http://www.openwall.com/lists/oss-security/2017/06/27/5Mailing List, Patch, VDB Entry
http://www.securityfocus.com/bid/99298Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1038790Broken Link, Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:1842Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2077Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2437Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2669Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1466329Issue Tracking, Third Party Advisory, VDB Entry
https://github.com/torvalds/linux/commit/b550a32e60a4941994b437a8d662432a486235a5Patch, Third Party Advisory
https://github.com/torvalds/linux/commit/f961e3f2acae94b727380c0b74e2d3954d0edf79Patch, Third Party Advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b550a32e60a4941994b437a8d662432a486235a5Patch, Vendor Advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f961e3f2acae94b727380c0b74e2d3954d0edf79Patch, Vendor Advisory
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.3Release Notes, Vendor Advisory
http://www.openwall.com/lists/oss-security/2017/06/27/5Mailing List, Patch, VDB Entry
http://www.securityfocus.com/bid/99298Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1038790Broken Link, Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:1842Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2077Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2437Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2669Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1466329Issue Tracking, Third Party Advisory, VDB Entry
https://github.com/torvalds/linux/commit/b550a32e60a4941994b437a8d662432a486235a5Patch, Third Party Advisory
https://github.com/torvalds/linux/commit/f961e3f2acae94b727380c0b74e2d3954d0edf79Patch, Third Party Advisory

Timeline

Published: Jul 2, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-8797?

How severe is CVE-2017-8797?

CVE-2017-8797 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 8.67% probability of exploitation in the next 30 days.

How do I fix CVE-2017-8797?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-8797?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST