Linux kernel: CVE-2017-6074 – local privilege escalation in DCCP

Mattias Geniar, Wednesday, February 22, 2017

Patching time, again.

This is an announcement about CVE-2017-6074 [1] which is a double-free
vulnerability I found in the Linux kernel. It can be exploited to gain
kernel code execution from an unprivileged processes.

[oss-security] Linux kernel: CVE-2017-6074: DCCP double-free vulnerability (local root)

This privilege escalation exploit is active on pretty much every kernel in use out there. CentOS 5, 6 and 7 are vulnerable according to the kernel versions.

The oldest version that was checked is 2.6.18 (Sep 2006), which is
vulnerable. However, the bug was introduced before that, probably in
the first release with DCCP support (2.6.14, Oct 2005).

The kernel needs to be built with CONFIG_IP_DCCP for the vulnerability
to be present. A lot of modern distributions enable this option by

[oss-security] Linux kernel: CVE-2017-6074: DCCP double-free vulnerability (local root)

Red Hat's bug tracker provides some mitigation tactics without updating the kernel and rebooting your box.

Recent versions of Selinux policy can mitigate this exploit. The steps below will work with SElinux enabled or disabled.

As the DCCP module will be auto loaded when required, its use can be disabled
by preventing the module from loading with the following instructions.

 # echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf 

The system will need to be restarted if the dccp modules are loaded. In most circumstances the dccp kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.

If you need further assistance, see this KCS article ( ) or contact Red Hat Global Support Services.

(CVE-2017-6074) CVE-2017-6074 kernel: use after free in dccp protocol

More details are hidden behind Red Hat's subscription wall, but the mitigation tactic shown above should be sufficient in most cases.

In fact, there don't seem to be updated kernel packages for CentOS just yet, so the above is -- at the time of writing -- the only mitigation tactic you have.

Hi! My name is Mattias Geniar. 👋 I'm an independent software developer ⌨️ & Linux sysadmin 👨‍💻, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear! Follow me on Twitter as @mattiasgeniar 🐦.

🔥 If you're stuck with a technical problem, I'm available for hire to help you fix it!

Share this post

Did you like this post? Help me share it on social media! Thanks. 🤗

Have feedback?

New comments have been disabled on this blog, existing comments will remain as-is. Want to give feedback? Is there a mistake in the post?

Send me a tweet on @mattiasgeniar!


jose Thursday, February 23, 2017 at 18:19 -


How can i know if i have dccp?.

thanks and regards

Mattias Geniar Friday, February 24, 2017 at 10:54 -

The simplest way to see if it’s loaded;

$ lsmod | grep dccp

If the module is loaded, chance are you’re using it.

To see more info on the module (details on where it’s located etc.), try modinfo.

$ modinfo dccp
filename:       /lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/net/dccp/dccp.ko
description:    DCCP - Datagram Congestion Controlled Protocol
author:         Arnaldo Carvalho de Melo 
license:        GPL
srcversion:     71CA3F011BC23EF970AF27E
vermagic:       2.6.32-642.6.2.el6.x86_64 SMP mod_unload modversions
parm:           thash_entries:Number of ehash buckets (int)