HP-UX kernel specifies incorrect arguments for setrlimit()

ID VU:726187
Type cert
Reporter CERT
Modified 2003-12-09T00:00:00



A problem exists in some versions of the HP-UX kernel allowing an intruder to cause kernel panics.


Certain versions of HP-UX setrlimit system call contain a vulnerability that permits an intruder to cause kernel panics or compromise the system. Quoting from HP Security Bulletin #0183:

The HP-UX kernel incorrectly specifies arguements for setrlimit() and can produce unexpected panics.

According to the HP bulletin, this problem affects HP 9000 series servers running HP-UX 11.11. For more information see,


Registration may be required to view this bulletin.


An intruder may be able to cause a denial of service by causing a kernel panic. Additionally, the HP bulletin says "servers could be locally compromised," suggesting the ability to run arbitrary code.


Apply patch PHKL_26233 as specified in the HP bulletin.

Systems Affected

Vendor| Status| Date Notified| Date Updated
Hewlett-Packard Company| | -| 28 Mar 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <http://www.securityfocus.com/bid/4094>
  • <http://us-support2.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000059416918>


Our thanks to Hewlett Packard for security bulleting #0183, upon which this document is based.

This document was written by Shawn V. Hernan.

Other Information

  • CVE IDs: CAN-2002-0279
  • Date Public: 12 Feb 2002
  • Date First Published: 28 Mar 2002
  • Date Last Updated: 09 Dec 2003
  • Severity Metric: 9.11
  • Document Revision: 5