Think you have a false positive on this rule?

Sid 1-44638


PROTOCOL-RPC Linux kernel nfsd nfsd4layoutverify out of bounds read attempt


This event is generated when Snort detects traffic exploiting an out of bounds read vulnerability in the Linux Kernel nfsd module.


Attempted Denial of Service


CVSS base score 7.5

CVSS impact score 3.6

CVSS exploitability score 3.9

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Detailed information

CVE-2017-8797: The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This type value is uninitialized upon encountering certain error conditions. This value is used as an array index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system.

Affected systems

  • linux linux_kernel 4.11.2

Ease of attack


Access Vector

Access Complexity


False positives

False negatives

Corrective action


  • Cisco's Talos Intelligence Group

Additional References