CVE-2005-4605
Description
The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before 2.6.15 allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8cpe:2.3:o:linux:linux_kernel:2.6.14.3:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:2.6.14.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.14:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.15:rc3:*:*:*:*:*:*
- Range: <2.6.15
Patches
Vulnerability mechanics
Root cause
"A signed value is added to an unsigned value in the procfs code, leading to integer overflow and memory disclosure."
Attack vector
An attacker can read sensitive kernel memory by exploiting a flaw in the procfs code. This is achieved by providing specific input that triggers an integer overflow when a signed value is added to an unsigned value. The exploit code demonstrates seeking to a large offset in `/proc/uptime` to trigger this vulnerability and dump kernel memory to standard output [ref_id=1].
Affected code
The vulnerability resides in the procfs code, specifically within the file `fs/proc/proc_misc.c` [ref_id=2]. The issue arises from the calculation `len <= off+count`, where `off` is of type `off_t` (signed) and `count` is of type `int` (signed). This calculation is also present in other kernel modules, including those related to `ia64`, `ppc64`, and various `drivers/char` and `drivers/net` files [ref_id=2].
What the fix does
The advisory does not specify a patch or provide details on the fix. However, the vulnerability is described as occurring in Linux versions before 2.6.15. The root cause is the improper handling of signed and unsigned integer types during offset calculations in the procfs code, specifically in `fs/proc/proc_misc.c` [ref_id=2].
Preconditions
- inputThe system must be running a vulnerable version of the Linux kernel (e.g., 2.6.14.3).
Reproduction
[+] Opened /proc/uptime. [+] Seek to offset 4294963199. [+] Read 4096 bytes, dumping to stdout... ...
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
22- linux.bkbits.net:8080/linux-2.6/cset%4043b562ae6hJGLWZA4TNf2k-RzXnVlQnvd
- linux.bkbits.net:8080/linux-2.6/gnupatch%4043b562ae6hJGLWZA4TNf2k-RzXnVlQnvd
- lists.suse.de/archive/suse-security-announce/2006-Feb/0010.htmlnvd
- marc.infonvd
- secunia.com/advisories/18216nvd
- secunia.com/advisories/18351nvd
- secunia.com/advisories/18510nvd
- secunia.com/advisories/18527nvd
- secunia.com/advisories/18788nvd
- secunia.com/advisories/19038nvd
- secunia.com/advisories/19374nvd
- www.debian.org/security/2006/dsa-1017nvd
- www.kernel.org/git/nvd
- www.mandriva.com/security/advisoriesnvd
- www.novell.com/linux/security/advisories/2006_06_kernel.htmlnvd
- www.redhat.com/archives/fedora-announce-list/2006-January/msg00014.htmlnvd
- www.redhat.com/support/errata/RHSA-2006-0101.htmlnvd
- www.securityfocus.com/archive/1/427981/100/0/threadednvd
- www.securityfocus.com/bid/16284nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/23811nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11747nvd
- usn.ubuntu.com/244-1/nvd
News mentions
0No linked articles in our index yet.