// For flags

CVE-2010-4075

kernel: drivers/serial/serial_core.c: reading uninitialized stack memory

Severity Score

5.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

La función uart_get_count de drivers/serial/serial_core.c del kernel de Linux en versiones anteriores a la 2.6.37-rc1 no inicializa apropiadamente un miembro de una determinada estructura, lo que permite a usuarios locales obtener información potencialmente confidencial de la memoria de la pila del kernel a través de una llamada ioctl TIOCGICOUNT.

Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. Alan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. Nelson Elhage discovered that the kernel did not correctly handle process cleanup after triggering a recoverable kernel bug. Tavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2010-10-25 CVE Reserved
  • 2010-11-29 CVE Published
  • 2011-09-14 First Exploit
  • 2024-08-07 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (22)
URL Tag Source
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=d281da7ff6f70efca0553c288bb883e8605b3862 X_refsource_confirm
http://secunia.com/advisories/42884 Third Party Advisory
http://secunia.com/advisories/42890 Third Party Advisory
http://secunia.com/advisories/42963 Third Party Advisory
http://secunia.com/advisories/46397 Third Party Advisory
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc1 Broken Link
http://www.openwall.com/lists/oss-security/2010/10/06/6 Mailing List
http://www.securityfocus.com/archive/1/520102/100/0/threaded Mailing List
http://www.securityfocus.com/bid/43806 Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2011-0012.html Third Party Advisory
http://www.vupen.com/english/advisories/2011/0168 Third Party Advisory
URL Date SRC
https://packetstorm.news/files/id/105078 2011-09-14
URL Date SRC
http://lkml.indiana.edu/hypermail//linux/kernel/1009.1/03388.html 2023-11-07
http://www.openwall.com/lists/oss-security/2010/09/25/2 2023-11-07
http://www.openwall.com/lists/oss-security/2010/10/07/1 2023-11-07
http://www.openwall.com/lists/oss-security/2010/10/25/3 2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=648660 2011-01-18
URL Date SRC
http://www.redhat.com/support/errata/RHSA-2010-0958.html 2023-11-07
http://www.redhat.com/support/errata/RHSA-2011-0007.html 2023-11-07
http://www.redhat.com/support/errata/RHSA-2011-0017.html 2023-11-07
http://www.redhat.com/support/errata/RHSA-2011-0162.html 2023-11-07
https://access.redhat.com/security/cve/CVE-2010-4075 2011-01-18
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 < 2.6.37
Search vendor "Linux" for product "Linux Kernel" and version " < 2.6.37"
-
Affected