{"id":"CVE-2016-9604","details":"It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring.","modified":"2026-03-15T22:13:19.083691Z","published":"2018-07-11T13:29:00.207Z","related":["MGASA-2017-0136","MGASA-2017-0147","MGASA-2017-0148","SUSE-SU-2017:1360-1","SUSE-SU-2017:2920-1"],"references":[{"type":"ADVISORY","url":"http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9604.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/102135"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1842"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2077"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2669"},{"type":"REPORT","url":"https://bugzilla.novell.com/show_bug.cgi?id=1035576"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9604"},{"type":"FIX","url":"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee8f844e3c5a73b999edf733df1c529d6503ec2f"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"4.11"}]},{"events":[{"introduced":"0"},{"last_affected":"4.11-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.11-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"4.11-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"4.11-rc4"}]},{"events":[{"introduced":"0"},{"last_affected":"4.11-rc5"}]},{"events":[{"introduced":"0"},{"last_affected":"4.11-rc6"}]},{"events":[{"introduced":"0"},{"last_affected":"4.11-rc7"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9604.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}]}