CVE-2017-16638

critical

Published 2017-11-06 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

10.0

VIR risk

9.8

Description

The Gentoo net-misc/vde package before version 2.3.2-r4 may allow members of the "qemu" group to gain root privileges by creating a hard link in a directory on which "chown" is called recursively by the OpenRC service script.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://security.gentoo.org/glsa/201711-11

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bugs.gentoo.org/603382

Application impact

Vendor	Product	Versions	Fixed
vde_project	vde	`{"endExcluding":"2.3.2"}`	`2.3.2`

References

https://bugs.gentoo.org/603382
https://security.gentoo.org/glsa/201711-11
https://bugs.gentoo.org/603382
https://security.gentoo.org/glsa/201711-11

CWEs

CWE-732

Verify integrity in audit chain (admin only). AS-IS.