TCP implementations vulnerable to Denial of Service

The network stacks of recent Linux and FreeBSD kernels have a vulnerability that makes it possible to perform denial of service attacks with low packet volumes. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port.

The vulnerability is related to the handling of TCP segments within Linux and FreeBSD TCP/IP stacks. Mounting the attack requires that a two-way TCP connection to an open port is formed. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Thus, the attacks cannot be performed using spoofed IP addresses.

Vulnerability coordination:

The vulnerability was found by Juha-Matti Tiili from Aalto University, Department of Communications and Networking / Nokia Bell Labs. NCSC-FI would like to thank the finder, CERT/CC and vendors for participating in the coordination.

  • Servers and server applications
  • Workstations and end-user applications
  • Network devices
  • Mobile communications systems
  • Embedded systems
  • Others


  • Servers and server applications
  • Network devices
  • Embedded systems
  • Others
Further information +

Attack vector

  • Remote
  • No user interaction required
Further information on the access vector +


  • Denial-of-service attack
Further information on the impact +


  • Software update patch
Further information on the remediation +

Vulnerable software:

  • In the Linux kernel, the vulnerability was introduced in version 4.9 and fixed in versions 4.9.117, 4.17.11, and 4.14.59. The version 4.4.146 includes portions of the same fix.
  • All supported FreeBSD versions

Possible solutions and restrictive measures:

Update the affected software using the automatic updates of your OS provider.

The vulnerability can be mitigated by restricting access to the vulnerable version, or by terminating TCP connections in a separate system such as proxy or load balancer.

Contact Information

NCSC-FI Vulnerability Coordination can be contacted as follows:


Please quote the advisory reference [FICORA #1052508] in the subject line.

+358 295 390 230
Monday - Friday 08:00 – 16:15 (EET: UTC+3)

Vulnerability Coordination
P.O. Box 313
FI-00561 Helsinki

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The PGP key as well as the vulnerability coordination principles of NCSC-FI are available at:

Further information:

Update history

Key words: Information security , Internet , CERT , NCSC-FI , Vulnerability coordination

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313


Media contacts by telephone +358 295 390 248