CVE-2022-2938 – kernel: use-after-free when psi trigger is destroyed while being polled
https://notcve.org/view.php?id=CVE-2022-2938
A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects. Se ha encontrado un fallo en la implementación del kernel de Linux de la Información de Bloqueo de Presión. Aunque la función está deshabilitada por defecto, podría permitir a un atacante bloquear el sistema o tener otros efectos secundarios de corrupción de memoria. A flaw was found in the Linux kernel’s implementation of Pressure Stall Information. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a06247c6804f1a7c86a2e5398a4c1f1db1471848 https://security.netapp.com/advisory/ntap-20221223-0002 https://access.redhat.com/security/cve/CVE-2022-2938 https://bugzilla.redhat.com/show_bug.cgi?id=2120175 • CWE-416: Use After Free •
CVE-2022-2873 – kernel: an out-of-bounds vulnerability in i2c-ismt driver
https://notcve.org/view.php?id=CVE-2022-2873
An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system. Se ha encontrado un fallo de acceso a memoria fuera de límites en el controlador de host iSMT SMBus del kernel de Linux, en la forma en que un usuario desencadena I2C_SMBUS_BLOCK_DATA (con el ioctl I2C_SMBUS) con datos de entrada maliciosos. Este fallo permite a un usuario local bloquear el sistema. • https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html https://lore.kernel.org/lkml/20220729093451.551672-1-zheyuma97%40gmail.com/T https://security.netapp.com/advisory/ntap-20230120-0001 https://www.debian.org/security/2023/dsa-5324 https://access.redhat.com/security/cve/CVE-2022-2873 https://bugzilla.redhat.com/show_bug.cgi?id=2119048 • CWE-131: Incorrect Calculation of Buffer Size •
CVE-2022-2503 – Linux Kernel LoadPin bypass via dm-verity table reload
https://notcve.org/view.php?id=CVE-2022-2503
Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 Dm-verity es usado para extender el root confiable a los sistemas de archivos root. • https://github.com/google/security-research/security/advisories/GHSA-6vq3-w69p-w63m https://security.netapp.com/advisory/ntap-20230214-0005 https://access.redhat.com/security/cve/CVE-2022-2503 https://bugzilla.redhat.com/show_bug.cgi?id=2177862 • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-302: Authentication Bypass by Assumed-Immutable Data •
CVE-2022-2585 – kernel: posix cpu timer use-after-free may lead to local privilege escalation
https://notcve.org/view.php?id=CVE-2022-2585
It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free. Se descubrió que al ejecutar desde un subproceso no líder, los temporizadores de CPU POSIX armados se dejaban en una lista pero se liberaban, lo que generaba un use-after-free. A use-after-free flaw was found in the Linux kernel’s POSIX CPU timers functionality in the way a user creates and then deletes the timer in the non-leader thread of the program. This flaw allows a local user to crash or potentially escalate their privileges on the system. • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2585 https://lore.kernel.org/lkml/20220809170751.164716-1-cascardo@canonical.com/T/#u https://ubuntu.com/security/notices/USN-5564-1 https://ubuntu.com/security/notices/USN-5565-1 https://ubuntu.com/security/notices/USN-5566-1 https://ubuntu.com/security/notices/USN-5567-1 https://www.openwall.com/lists/oss-security/2022/08/09/7 https://access.redhat.com/security/cve/CVE-2022-2585 https://bugzilla.redhat • CWE-416: Use After Free •
CVE-2022-2588 – Linux Kernel route4_change Double Free Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-2588
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0. Se descubrió que la implementación del filtro cls_route en el kernel de Linux no eliminaba un filtro antiguo de la tabla hash antes de liberarlo si su identificador tenía el valor 0. A use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation problem. This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. • https://github.com/Markakd/CVE-2022-2588 https://github.com/veritas501/CVE-2022-2588 https://github.com/BassamGraini/CVE-2022-2588 https://github.com/PolymorphicOpcode/CVE-2022-2588 https://github.com/dom4570/CVE-2022-2588 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2588 https://lore.kernel.org/netdev/20220809170518.164662-1-cascardo@canonical.com/T/#u https://ubuntu.com/security/notices/USN-5557-1 https://ubuntu.com/security/notices/USN-5560-1 https:/ • CWE-415: Double Free CWE-416: Use After Free •