CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23089 – Out of bound read in elf_note_prpsinfo()
https://notcve.org/view.php?id=CVE-2022-23089
09 Aug 2022 — When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled. An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to crash. Al volcar el núcleo y guardar la información del proceso, proc_getargv() puede devolver un sbuf que tiene un sbuf_len() de 0 o -1, que no se maneja adecuadamente. Puede ocurrir una lectura fuera de los límites cuando el usuario co... • https://security.freebsd.org/advisories/FreeBSD-SA-22:09.elf.asc • CWE-125: Out-of-bounds Read •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23091 – Memory disclosure by stale virtual memory mapping
https://notcve.org/view.php?id=CVE-2022-23091
09 Aug 2022 — A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel. Un caso particular de compartir memoria se maneja mal en el sistema de memoria virtual. Esto es muy similar a SA-21:08.vm, pero con una causa raíz diferente. • https://security.freebsd.org/advisories/FreeBSD-SA-22:11.vm.asc • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23092 – Missing bounds check in 9p message handling
https://notcve.org/view.php?id=CVE-2022-23092
09 Aug 2022 — The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox. A la implementación del manejo de mensajes RWALK por p... • https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-23090 – AIO credential reference count leak
https://notcve.org/view.php?id=CVE-2022-23090
09 Aug 2022 — The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case. An attacker may cause the reference count to overflow, leading to a use after free (UAF). La función aio_aqueue, utilizada por la llamada al sistema lio_listio, no puede liberar una referencia a una credencial en un caso de error. Un atacante puede provocar que el recuento de referencias se desborde, lo que provocará un use after free (UAF). • https://packetstorm.news/files/id/168105 • CWE-416: Use After Free •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23084 – Potential jail escape vulnerabilities in netmap
https://notcve.org/view.php?id=CVE-2022-23084
06 Apr 2022 — The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment. El tamaño total del nmreq proporcionado por el usuario a nmreq_copyin() se calculó primero y luego se confió en él durante la copia. Este error de tiempo de verificación a tiempo de u... • https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23085 – Potential jail escape vulnerabilities in netmap
https://notcve.org/view.php?id=CVE-2022-23085
06 Apr 2022 — A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment. Se pasó una opción de entero proporcionada por el usuario a nmreq_copyin() sin comprobar si se desbordaría. Esta comprobación de los límites insuficiente podría provocar daños en la memoria del kernel. • https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23086 – mpr/mps/mpt driver ioctl heap out-of-bounds write
https://notcve.org/view.php?id=CVE-2022-23086
06 Apr 2022 — Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group. Los controladores para *_CFG_PAGE lectura/escritura ioctls e... • https://security.freebsd.org/advisories/FreeBSD-SA-22:06.ioctl.asc • CWE-122: Heap-based Buffer Overflow •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23087 – Bhyve e82545 device emulation out-of-bounds write
https://notcve.org/view.php?id=CVE-2022-23087
06 Apr 2022 — The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify t... • https://security.freebsd.org/advisories/FreeBSD-SA-22:05.bhyve.asc • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 0CVE-2022-23088 – 802.11 heap buffer overflow
https://notcve.org/view.php?id=CVE-2022-23088
06 Apr 2022 — The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution. La rutina de manejo de balizas 802.11 no pudo validar la longitud de un ID de malla IEEE 802.11 antes de copiarlo en un búfer asignado en montón. Mientras un cliente Wi-Fi de FreeBSD está en modo de esc... • https://security.freebsd.org/advisories/FreeBSD-SA-22:07.wifi_meshid.asc • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 30EXPL: 0CVE-2021-29632 – FreeBSD Security Advisory - FreeBSD-SA-22:01.vt
https://notcve.org/view.php?id=CVE-2021-29632
11 Jan 2022 — In FreeBSD 13.0-STABLE before n247428-9352de39c3dc, 12.2-STABLE before r370674, 13.0-RELEASE before p6, and 12.2-RELEASE before p12, certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory. En FreeBSD versión 13.0-STABLE anteriores a n247428-9352de39c3dc, 12.2-STABLE anteriores a r370674, 13.0-RELEASE anteriores a p6 y 12.2-RELEASE anteriores a p12, en determinadas co... • https://security.freebsd.org/advisories/FreeBSD-SA-22:01.vt.asc •