Shared challenge ack vulnerability - CVE-2016-5696

Public Date: July 12, 2016, 10:06
Updated October 3, 2016, 14:34 - No translations currently exist.
Resolved Status
Important Impact

The Red Hat Product Security has been made aware of a vulnerability in the Linux kernel that has been assigned CVE-2016-5696 . This issue has been rated as Important .

Background Information

Researchers have discovered a flaw in the Linux kernel’s TCP/IP networking subsystem implementation of the RFC 5961 challenge ACK rate limiting, that could allow an off-path attacker to inject payload into unsecured TCP connections.

Take Action

All Red Hat customers with affected products deployments are recommended to apply mitigations to their systems until the updated kernel packages are available. Recommended mitigations can be found under the Resolve tab.


Red Hat would like to thank Yue Cao of the Cyber Security Group in the CS Department of the University of California, Riverside for reporting this issue.

Red Hat Product Security has rated this update as having a security impact of Important .

Impacted Products

The following Red Hat Product versions are impacted, earlier versions are not affected:

  • Red Hat Enterprise Linux 6.5 and later
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise MRG 2

Attack description and impact

This flaw allows an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two given endpoints on the network.


By setting net.ipv4.tcp_challenge_ack_limit to arbitrary high value we can effectively disable challenge ACK rate limiting, avoid the congestion and thus close the information side channel.

Edit the /etc/sysctl.conf file as root, and add or amend:


To apply this setting, run the /sbin/sysctl -p command as the root user to reload the settings from /etc/sysctl.conf.

Verify that net.ipv4.tcp_challenge_ack_limit is now set to defined value:

$ /sbin/sysctl net.ipv4.tcp_challenge_ack_limit
net.ipv4.tcp_challenge_ack_limit = 2147483647

Updates for Affected Products

Fixes for all impacted products will be released in forthcoming update.

Product Package Advisory/Update
Red Hat Enterprise Linux 6.5 kernel RHSA-2016:1814
Red Hat Enterprise Linux 6.6 kernel RHSA-2016:1939
Red Hat Enterprise Linux 6.7 kernel RHSA-2016:1815
Red Hat Enterprise Linux 6.8 kernel RHSA-2016:1664
Red Hat Enterprise Linux 7.1 kernel RHSA-2016:1657
Red Hat Enterprise Linux 7.2 kernel RHSA-2016:1633
Red Hat Enterprise Linux 7.2 kernel-rt RHSA-2016:1632
Red Hat Enterprise MRG 2 realtime-kernel RHSA-2016:1631