
CVE-2022-23831
https://notcve.org/view.php?id=CVE-2022-23831
09 Nov 2022 — Insufficient validation of the IOCTL input buffer in AMD μProf may allow an attacker to send an arbitrary buffer leading to a potential Windows kernel crash resulting in denial of service. Una validación insuficiente del búfer de entrada IOCTL en AMD ?Prof puede permitir que un atacante envíe un búfer arbitrario que provoque una posible falla del kernel de Windows que provoque una denegación de servicio. • https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1046 • CWE-20: Improper Input Validation •

CVE-2022-27674
https://notcve.org/view.php?id=CVE-2022-27674
09 Nov 2022 — Insufficient validation in the IOCTL input/output buffer in AMD μProf may allow an attacker to bypass bounds checks potentially leading to a Windows kernel crash resulting in denial of service. Una validación insuficiente en el búfer de entrada/salida IOCTL en AMD ?Prof puede permitir a un atacante eludir las comprobaciones de límites, lo que podría provocar un fallo del kernel de Windows que provoque una denegación de servicio. • https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1046 • CWE-20: Improper Input Validation •

CVE-2022-32264
https://notcve.org/view.php?id=CVE-2022-32264
06 Sep 2022 — sys/netinet/tcp_timer.h in FreeBSD before 7.0 contains a denial-of-service (DoS) vulnerability due to improper handling of TSopt on TCP connections. NOTE: This vulnerability only affects products that are no longer supported by the maintainer El archivo sys/netinet/tcp_timer.h en FreeBSD versiones anteriores a 7.0, contiene una vulnerabilidad de denegación de servicio (DoS) debido a un manejo inapropiado de TSopt en conexiones TCP. NOTA: Esta vulnerabilidad sólo afecta a productos que ya no son soportados p... • http://jvn.jp/en/jp/JVN20930118 • CWE-755: Improper Handling of Exceptional Conditions •

CVE-2022-23091 – Memory disclosure by stale virtual memory mapping
https://notcve.org/view.php?id=CVE-2022-23091
09 Aug 2022 — A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel. Un caso particular de compartir memoria se maneja mal en el sistema de memoria virtual. Esto es muy similar a SA-21:08.vm, pero con una causa raíz diferente. • https://security.freebsd.org/advisories/FreeBSD-SA-22:11.vm.asc • CWE-401: Missing Release of Memory after Effective Lifetime •

CVE-2022-23089 – Out of bound read in elf_note_prpsinfo()
https://notcve.org/view.php?id=CVE-2022-23089
09 Aug 2022 — When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled. An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to crash. Al volcar el núcleo y guardar la información del proceso, proc_getargv() puede devolver un sbuf que tiene un sbuf_len() de 0 o -1, que no se maneja adecuadamente. Puede ocurrir una lectura fuera de los límites cuando el usuario co... • https://security.freebsd.org/advisories/FreeBSD-SA-22:09.elf.asc • CWE-125: Out-of-bounds Read •

CVE-2022-23090 – AIO credential reference count leak
https://notcve.org/view.php?id=CVE-2022-23090
09 Aug 2022 — The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case. An attacker may cause the reference count to overflow, leading to a use after free (UAF). La función aio_aqueue, utilizada por la llamada al sistema lio_listio, no puede liberar una referencia a una credencial en un caso de error. Un atacante puede provocar que el recuento de referencias se desborde, lo que provocará un use after free (UAF). • https://packetstorm.news/files/id/168105 • CWE-416: Use After Free •

CVE-2022-23092 – Missing bounds check in 9p message handling
https://notcve.org/view.php?id=CVE-2022-23092
09 Aug 2022 — The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox. A la implementación del manejo de mensajes RWALK por p... • https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc • CWE-787: Out-of-bounds Write •

CVE-2022-23084 – Potential jail escape vulnerabilities in netmap
https://notcve.org/view.php?id=CVE-2022-23084
06 Apr 2022 — The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment. El tamaño total del nmreq proporcionado por el usuario a nmreq_copyin() se calculó primero y luego se confió en él durante la copia. Este error de tiempo de verificación a tiempo de u... • https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •

CVE-2022-23085 – Potential jail escape vulnerabilities in netmap
https://notcve.org/view.php?id=CVE-2022-23085
06 Apr 2022 — A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment. Se pasó una opción de entero proporcionada por el usuario a nmreq_copyin() sin comprobar si se desbordaría. Esta comprobación de los límites insuficiente podría provocar daños en la memoria del kernel. • https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVE-2022-23086 – mpr/mps/mpt driver ioctl heap out-of-bounds write
https://notcve.org/view.php?id=CVE-2022-23086
06 Apr 2022 — Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group. Los controladores para *_CFG_PAGE lectura/escritura ioctls e... • https://security.freebsd.org/advisories/FreeBSD-SA-22:06.ioctl.asc • CWE-122: Heap-based Buffer Overflow •