VYPR
← All advisories
High severity7.8NVD Advisory· Published Jun 19, 2017· Updated May 13, 2026

CVE-2017-1000365

CVE-2017-1000365

Description

The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Linux kernel's stack size limit enforcement (RLIMIT_STACK) fails to account for argument and environment pointers, allowing attackers to bypass the limit and exploit stack-clash vulnerabilities for local privilege escalation.

Vulnerability

The Linux kernel versions 2.6.23 through 4.11.5 enforce a size restriction on the arguments and environmental strings passed through RLIMIT_STACK and RLIM_INFINITY, limiting them to one-quarter of the stack limit. However, the kernel does not account for the pointers to these strings, allowing the total memory consumed by the argument and environment areas to exceed the intended limit [1][2]. This flaw enables a stack-clash attack, where the stack can grow into another memory region (such as the heap or a memory mapping), bypassing the guard-page protection that was introduced to prevent such clashes [1].

Exploitation

An attacker with local user access can craft a process with a large number of argument and environment pointers, then trigger an execve system call that causes the stack to expand beyond its allocated region. By carefully arranging memory layout (e.g., via mmap or heap allocations), the attacker can cause the stack to collide with an adjacent memory mapping, overwriting critical data or code [1]. The Qualys advisory demonstrates that no special privileges or user interaction beyond executing a binary are required; the attack works from user-space on unpatched systems [1].

Impact

Successful exploitation allows an unprivileged local attacker to escalate privileges to root, as the stack clash can corrupt kernel structures or overwrite the memory of a higher-privileged process (e.g., setuid binaries or system services). This leads to full compromise of confidentiality, integrity, and availability of the system [1][2].

Mitigation

The vulnerability is fixed in Linux kernel version 4.11.6 and later, where the kernel correctly includes the pointer size when calculating the total stack usage [2]. Red Hat and other vendors have released patched kernels for their affected distributions [2]. Users should apply the latest kernel updates from their vendor. As a temporary workaround, administrators may restrict the stack size via ulimit -s to reduce the attack surface, but full mitigation requires upgrading the kernel [2].

References
  1. https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
  2. cve-details

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

89

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.