High severity7.3NVD Advisory· Published Aug 6, 2016· Updated May 6, 2026

CVE-2016-3841

Description

A use-after-free in the Linux kernel's IPv6 stack allows local privilege escalation or system crash via a crafted sendmsg call.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in the Linux kernel's IPv6 stack allows local privilege escalation or system crash via a crafted sendmsg call.

Vulnerability

The Linux kernel's IPv6 stack before version 4.3.3 mishandles options data, allowing a use-after-free condition. A local attacker can exploit this by crafting a sendmsg system call with concurrent socket option access. Affected versions include Red Hat Enterprise Linux 6 (kernel 2.6.32) and 7 (kernel 3.10.0) before the updates in RHSA-2016-0855 [1] and RHSA-2016-2574 [2], as well as Android devices running kernels older than the August 2016 security bulletin [3].

Exploitation

An attacker with local access to the system can trigger the vulnerability by sending a specially crafted sendmsg call. The issue arises from concurrent access to IPv6 socket options, leading to a use-after-free condition. No additional authentication beyond local user access is required, though the attacker must be able to execute code on the target system [4].

Impact

Successful exploitation can result in local privilege escalation, allowing the attacker to gain elevated privileges, or cause a denial of service through a system crash. The use-after-free memory corruption can be leveraged to execute arbitrary code in kernel context, depending on the attacker's skill [1][4].

Mitigation

Red Hat released updates in RHSA-2016-0855 (RHEL 6) and RHSA-2016-2574 (RHEL 7) to address this issue [1][2]. Additionally, RHSA-2016-2695 was provided for Red Hat Enterprise Linux 7.2 Extended Update Support [4]. Google's August 2016 Android Security Bulletin includes patches for affected Android devices [3]. System administrators should apply the relevant kernel updates and reboot the system. There is no known workaround besides updating.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Ubuntu/Linux Kernelllm-fuzzy
Range: <4.3.3
osv-coords66 versions
pkg:rpm/suse/kernel-bigmem&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/kernel-bigmem&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/kernel-bigsmp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/kernel-bigsmp&distro=SUSE%20Manager%202.1 pkg:rpm/suse/kernel-bigsmp&distro=SUSE%20Manager%20Proxy%202.1 pkg:rpm/suse/kernel-bigsmp&distro=SUSE%20OpenStack%20Cloud%205 pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/kernel-default&distro=SUSE%20Manager%202.1 pkg:rpm/suse/kernel-default&distro=SUSE%20Manager%20Proxy%202.1 pkg:rpm/suse/kernel-default&distro=SUSE%20OpenStack%20Cloud%205 pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4 pkg:rpm/suse/kernel-ec2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/kernel-ec2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/kernel-ec2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/kernel-ec2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/kernel-ec2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/kernel-ec2&distro=SUSE%20Manager%202.1 pkg:rpm/suse/kernel-ec2&distro=SUSE%20Manager%20Proxy%202.1 pkg:rpm/suse/kernel-ec2&distro=SUSE%20OpenStack%20Cloud%205 pkg:rpm/suse/kernel-pae&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/kernel-pae&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/kernel-pae&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/kernel-pae&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/kernel-pae&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/kernel-ppc64&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/kernel-ppc64&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2011%20SP4 pkg:rpm/suse/kernel-rt_trace&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2011%20SP4 pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/kernel-source&distro=SUSE%20Manager%202.1 pkg:rpm/suse/kernel-source&distro=SUSE%20Manager%20Proxy%202.1 pkg:rpm/suse/kernel-source&distro=SUSE%20OpenStack%20Cloud%205 pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2011%20SP4 pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/kernel-syms&distro=SUSE%20Manager%202.1 pkg:rpm/suse/kernel-syms&distro=SUSE%20Manager%20Proxy%202.1 pkg:rpm/suse/kernel-syms&distro=SUSE%20OpenStack%20Cloud%205 pkg:rpm/suse/kernel-syms-rt&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2011%20SP4 pkg:rpm/suse/kernel-trace&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/kernel-trace&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/kernel-trace&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/kernel-trace&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/kernel-trace&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/kernel-trace&distro=SUSE%20Manager%202.1 pkg:rpm/suse/kernel-trace&distro=SUSE%20Manager%20Proxy%202.1 pkg:rpm/suse/kernel-trace&distro=SUSE%20OpenStack%20Cloud%205 pkg:rpm/suse/kernel-xen&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/kernel-xen&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS pkg:rpm/suse/kernel-xen&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/kernel-xen&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/kernel-xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/kernel-xen&distro=SUSE%20Manager%202.1 pkg:rpm/suse/kernel-xen&distro=SUSE%20Manager%20Proxy%202.1 pkg:rpm/suse/kernel-xen&distro=SUSE%20OpenStack%20Cloud%205
< 3.0.101-88.1+ 65 more
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.7.53.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-88.3
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.7.53.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.7.53.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101.rt130-65.1
- (no CPE)range: < 3.0.101.rt130-65.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.7.53.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101.rt130-65.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.7.53.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101.rt130-65.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.7.53.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.7.53.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-88.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1
- (no CPE)range: < 3.0.101-0.47.96.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/nvdIssue TrackingPatch
github.com/torvalds/linux/commit/45f6fad84cc305103b28d73482b344d7f5b76f39nvdIssue TrackingPatch
rhn.redhat.com/errata/RHSA-2016-0855.htmlnvdThird Party Advisory
rhn.redhat.com/errata/RHSA-2016-2574.htmlnvdThird Party Advisory
rhn.redhat.com/errata/RHSA-2016-2584.htmlnvdThird Party Advisory
rhn.redhat.com/errata/RHSA-2016-2695.htmlnvdThird Party Advisory
source.android.com/security/bulletin/2016-08-01.htmlnvdVendor Advisory
www.securityfocus.com/bid/92227nvdThird Party AdvisoryVDB Entry
www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.3nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000