What is CVE-2014-9717?

CVE-2014-9717 is a Medium severity Linux kernel vulnerability with a CVSS score of 6.1 out of 10, classified as a Improper Access Control flaw (CWE-284). CVE-2014-9717 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2014-9717?

CVE-2014-9717 has a CVSS score of 6.1 out of 10, rated Medium severity. The vector string is CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N.

Is there a patch available for CVE-2014-9717?

No patch is currently available for CVE-2014-9717. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2014-9717 actively exploited?

CVE-2014-9717 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Improper Access Control (CWE-284)?

The product does not restrict or incorrectly restricts access to a resource from an unauthorised actor. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/284.html

CVE-2014-9717

Medium

fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace.

Package Linux Kernel

Published 2016-05-02

Last modified 2026-05-06

CVSS version 3.0

Patch available

Awaiting data

CVSS 3.0 score

6.1

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Vector string

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Weakness type

CWE-284

CVE-2014-9717 is a Improper Access Control vulnerability

What is Improper Access Control?

The product does not restrict or incorrectly restricts access to a resource from an unauthorised actor. Learn more on MITRE CWE

References

The following references provide additional information about CVE-2014-9717 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Lists
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html
Lists
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00056.html
Lists
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html
Kernel.org
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.0.2
Openwall
http://www.openwall.com/lists/oss-security/2015/04/17/4
Securityfocus
http://www.securityfocus.com/bid/74226
Spinics
http://www.spinics.net/lists/linux-containers/msg30786.html
Red Hat
https://bugzilla.redhat.com/show_bug.cgi?id=1226751
Groups
https://groups.google.com/forum/message/raw?msg=linux.kernel/HnegnbXk0Vs/RClojwJzAFEJ
Kernel patch commit
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1
Patch
Kernel patch commit
https://github.com/torvalds/linux/commit/ce07d891a0891d3c0d0c2d73d577490486b809e1
Patch

Details

CVE ID CVE-2014-9717

Severity Medium

CVSS score 6.1 / 10

CVSS version 3.0

Published 2016-05-02

Modified 2026-05-06

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2014-9717?

CVE-2014-9717 is a Medium severity Linux kernel vulnerability with a CVSS score of 6.1 out of 10 , classified as an Improper Access Control flaw (CWE-284) . CVE-2014-9717 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2014-9717?

CVE-2014-9717 has a CVSS score of 6.1 out of 10, rated Medium severity (CVSS 3.0). The vector string is CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N.
Is there a patch available for CVE-2014-9717?

No patch is currently available for CVE-2014-9717. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2014-9717 actively exploited?

No — CVE-2014-9717 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Improper Access Control (CWE-284)?

The product does not restrict or incorrectly restricts access to a resource from an unauthorised actor. View CWE-284 on MITRE CWE →