[Cerowrt-devel] sack panic CVEs

Dave Taht dave.taht at gmail.com
Tue Jun 18 17:23:19 EDT 2019

Apparently people are exploiting this in the wild.


CeroWrt - if anyone is still running it, does have a web server that
might be vulnerable, same for the ssh port. openwrt as well, well...
*Anybody* with an exposed tcp server of just about any sort on freebsd
or linux seems vulnerable to the first bug, which causes a kernel

Ironically I had been pushing over on ecn-sane to experiment with
lowering the MSS to keep signal strength up in highly congested
scenarios. Apparently,
someone found another use for the idea.

There is an iptables workaround,, documented here:

I remember the "ping O death" which cost me christmas in the early
90s. I've been watching the patches to the kernel land and wishing I
was somewhere else.


Dave Täht
CTO, TekLibre, LLC
Tel: 1-831-205-9740

More information about the Cerowrt-devel mailing list