Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2014-3153 Futex requeue exploit

CVE-2014-3153 Futex requeue exploit


Important to Low


Canonical Ubuntu

Versions Affected

  • Linux kernel through 3.14.5


The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.

Affected Products and Versions

Severity is important unless otherwise noted.

  • Cloud Foundry final releases prior to v177


Users of affected versions should apply the following mitigation:

  • Cloud Foundry Runtime Deployments running Release v176 or earlier upgrade to v177 or higher. As of v177, Cloud Foundry is integrated with BOSH stemcell 2671, based on Ubuntu 14.04, which resolves this vulnerability.


Many thanks to Pinkie Pie, the anonymous researcher who first discovered and reported this issue.


Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR