Oh god what. A 9.8 CVE score is dramatic.
I’m slightly surprised this hasn’t already been used to worm a large portion of the internet.
The bug itself appears to have been fixed over a year ago, which probably mitigates the impact. Not clear if it was embargoed and just now released, or if it was fixed as a routine bug and only determined later to be this security-sensitive. For example, Debian’s CVE tracker marks it as having been fixed in Debian stable (jessie) in version 3.16.7-ckt20-1+deb8u2. Digging up the changelog, that update was released in February 2016, so I’d expect a large proportion of servers to be non-vulnerable by now.
Thanks for clarifying that! phew!
The majority of server operating systems were never affected at all, also mitigating impact. For example, RHEL 5, RHEL 6, RHEL 7, RHEL 7 RT, and RHE-MRG 2 were all never affected by the bug, which probably means the vast majority of servers were never at risk.
Without bothering to read the article, what was the mitigating factor? Compile-time options? Never shipped a vulnerable kernel?
“This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, and 7, Red Hat Enterprise MRG 2, and realtime kernels as the code that introduced the flaw is not present in these products.” per https://access.redhat.com/security/cve/cve-2016-10229