CVE-2015-2666

kernel: execution in the early microcode loader

Severity Score

8.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd.

Desbordamiento de buffer basado en pila en la función get_matching_model_microcode en arch/x86/kernel/cpu/microcode/intel_early.c en el kernel de Linux anterior a 4.0 permite a atacantes dependientes de contexto ganar privilegios mediante la construcción de una cabecera de microcódigo manipulada y el aprovechamiento de privilegios root para acceso de escritura al initrd.

A stack-based buffer overflow flaw was found in the Linux kernel's early load microcode functionality. On a system with UEFI Secure Boot enabled, a local, privileged user could use this flaw to increase their privileges to the kernel (ring0) level, bypassing intended restrictions in place.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. An integer overflow flaw was found in the way the Linux kernel's netfilter connection tracking implementation loaded extensions. An attacker on a local network could potentially send a sequence of specially crafted packets that would initiate the loading of a large number of extensions, causing the targeted system in that network to crash. A stack-based buffer overflow flaw was found in the Linux kernel's early load microcode functionality. On a system with UEFI Secure Boot enabled, a local, privileged user could use this flaw to increase their privileges to the kernel level, bypassing intended restrictions in place.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-03-20 CVE Reserved
2015-04-30 CVE Published
2024-08-06 CVE Updated
2025-05-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (8)

URL	Tag	Source
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4	Broken Link
http://www.openwall.com/lists/oss-security/2015/03/20/18	Mailing List
http://www.securitytracker.com/id/1032414	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/torvalds/linux/commit/f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4	2024-03-14

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153329.html	2024-03-14
http://rhn.redhat.com/errata/RHSA-2015-1534.html	2024-03-14
https://bugzilla.redhat.com/show_bug.cgi?id=1204722	2015-08-05
https://access.redhat.com/security/cve/CVE-2015-2666	2015-08-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 3.10.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 3.10.83"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.11 < 3.12.40 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.40"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.13 < 3.14.47 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.14.47"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.15 < 3.16.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 3.16.35"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.17 < 3.18.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.19"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				21 Search vendor "Fedoraproject" for product "Fedora" and version "21"		-		Affected