CVSS: 8.8EPSS: 0%CPEs: 22EXPL: 6CVE-2022-32250 – Linux Kernel nf_tables_expr_destroy Use-After-Free Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-32250
net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free. El archivo net/netfilter/nf_tables_api.c en el kernel de Linux versiones hasta 5.18.1, permite a un usuario local (capaz de crear espacios de nombres de usuario/red) escalar privilegios a root porque una comprobación incorrecta de NFT_STATEFUL_EXPR conlleva a un uso de memoria previamente liberada A use-after-free vulnerability was found in the Linux kernel's Netfilter subsystem in net/netfilter/nf_tables_api.c. This flaw allows a local attacker with user access to cause a privilege escalation issue. This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nf_tables_expr_destroy method. • https://github.com/theori-io/CVE-2022-32250-exploit https://github.com/ysanatomic/CVE-2022-32250-LPE https://github.com/Kristal-g/CVE-2022-32250 http://www.openwall.com/lists/oss-security/2022/06/03/1 http://www.openwall.com/lists/oss-security/2022/06/04/1 http://www.openwall.com/lists/oss-security/2022/06/20/1 http://www.openwall.com/lists/oss-security/2022/07/03/5 http://www.openwall.com/lists/oss-security/2022/07/03/6 http://www.openwall&# • CWE-416: Use After Free •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1789 – kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva
https://notcve.org/view.php?id=CVE-2022-1789
With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference. Con shadow paging habilitada, la instrucción INVPCID resulta en una llamada a kvm_mmu_invpcid_gva. Si INVPCID es ejecutado con CR0.PG=0, la llamada de retorno invlpg no es establecida y el resultado es una desreferencia de puntero NULL A flaw was found in KVM. With shadow paging enabled if INVPCID is executed with CR0.PG=0, the invlpg callback is not set, and the result is a NULL pointer dereference. • https://bugzilla.redhat.com/show_bug.cgi?id=1832397 https://francozappa.github.io/about-bias https://kb.cert.org/vuls/id/647177 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6JP355XFVAB33X4BNO3ERVTURFYEDB7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IBUOQTNTQ4ZCXHOCNKYIL2ZUIAZ675RD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KCEAPIVPRTJHKPF2A2HVF5XHD5XJT3MN https://www.debian.org/security • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 19EXPL: 0CVE-2022-1652
https://notcve.org/view.php?id=CVE-2022-1652
Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. El Kernel de Linux podría permitir a un atacante local ejecutar código arbitrario en el sistema, causado por un fallo de uso de memoria previamente liberada concurrente en la función bad_flp_intr. Al ejecutar un programa especialmente diseñado, un atacante podría explotar esta vulnerabilidad para ejecutar código arbitrario o causar una condición de denegación de servicio en el sistema • https://bugzilla.redhat.com/show_bug.cgi?id=1832397 https://francozappa.github.io/about-bias https://kb.cert.org/vuls/id/647177 https://security.netapp.com/advisory/ntap-20220722-0002 https://www.debian.org/security/2022/dsa-5173 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-1419
https://notcve.org/view.php?id=CVE-2022-1419
The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object *(created in *vgem_gem_dumb_create*) concurrently, and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object. La causa principal de esta vulnerabilidad es que el ioctl$DRM_IOCTL_MODE_DESTROY_DUMB puede disminuir el refcount de *drm_vgem_gem_object *(creado en *vgem_gem_dumb_create*) simultáneamente, y *vgem_gem_dumb_create *accederá al drm_vgem_gem_object liberado • https://bugzilla.redhat.com/show_bug.cgi?id=2077560 https://www.debian.org/security/2022/dsa-5173 • CWE-416: Use After Free •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1205
https://notcve.org/view.php?id=CVE-2022-1205
A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system. Se ha encontrado un fallo de desreferencia de puntero NULL en la funcionalidad del protocolo AX.25 de Radio Aficionados del kernel de Linux en la forma en que un usuario es conectado con el protocolo. Este fallo permite a un usuario local bloquear el sistema • https://access.redhat.com/security/cve/CVE-2022-1205 https://bugzilla.redhat.com/show_bug.cgi?id=2071047 https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0 https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009 https://www.openwall.com/lists/oss-security/2022/04/02/4 • CWE-416: Use After Free CWE-476: NULL Pointer Dereference •