SegmentSmack – A TCP Vulnerability Targeting Linux 4.9

SegmentSmack – A TCP Vulnerability Targeting Linux 4.9 Induced DoS Attacks. Recently, a critical TCP vulnerability was found in the Linux Kernel. A detailed vulnerability assessment revealed that the flaw could induce denial-of-service (DoS) attacks in Linux 4.9 and above. Gladly, Linux has already released patches for the vulnerability in the 4.9.116 and 4.17.11.

SegmentSmack – A DoS Triggering TCP Vulnerability

Juha-Matti Tilli, a researcher from the Aalto University, discovered a flaw in the Linux Kernel that made it highly vulnerable to cyber attacks. Reportedly, it was a TCP vulnerability that triggered DoS attacks. RedHat named this vulnerability as ‘SegmentSmack’, that lets an attacker send modified packets in between a TCP session, consequently, leading to DoS due to CPU saturation. The flaw has also acquired a CV number as CVE-2018-5390. It primarily targeted Linux 4.9 or higher versions.


Start your Free Trial
Scan your Web Site and Network



As per the details revealed by the CERT advisory, the vulnerability could force the Linux Kernel to make calls to two TCP functions – tcp_collapse_ofo_queue() and tcp_prune_ofo_queue(). These two vulnerable functions play a role for reassembling the TCP segments.

“Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.”

The “tcp_collapse_ofo_queue()” function creates space for the incoming data segment by collapsing the out-of-order queue whenever the memory quota for the receive queue runs out of space. Whereas, the “tcp_prune_ofo_queue()” prune function is used during queue operations.

As predicted commonly, a worst case scenario of this vulnerability exploitation could let the attacker stall the target with as less than 2kbps of malicious attack traffic.

To exploit the vulnerability, the attacker needed to approach an accessible open port for maintaining the DoS state. As establishing a TCP connection needs real IP address, the attacker cannot exploit this vulnerability with a spoofed IP.

SegmentSmack: Linux Already Patched The Flaw

Unlike most other Linux flaws, this vulnerability was not as harmful. Probably because the researchers at CERT, despite presenting a detailed analysis, didn’t highlight much details regarding the requirements for maintaining a DoS crash. Hence, the overall severity of the flaw appeared somewhat lesser. Yet, it indeed needed a patch before a bad actor could find and exploit it.

Initially, when the news about the flaw surfaced online, it was speculated that a patch was yet to be released. However, we then came to know that Linux had already patched the flaw in the 4.9.116 and 4.17.11 Kernel versions.

The Linux developers quickly released fixes that included limiting the CPU cycles to make the vulnerability non-critical.

“This patch series makes sure we cut CPU cycles enough to render the attack not critical.”

So, the Linux customers can protect themselves by simply updating their Linux Kernel.


Start your Free Trial
Scan your Web Site and Network