// For flags

CVE-2020-8835

Linux kernel bpf verifier vulnerability

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

6
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

En el kernel de Linux versiones 5.5.0 y más recientes, el verificador bpf (kernel/bpf/verifier.c) no restringió apropiadamente los límites de registro para operaciones de 32 bits, conllevando a lecturas y escrituras fuera de límites en la memoria del kernel. La vulnerabilidad también afecta a la serie estable de Linux versión 5.4, comenzando con la versión v5.4.7, ya que el commit de introducción fue respaldado en esa derivación. Esta vulnerabilidad fue corregida en las versiones 5.6.1, 5.5.14 y 5.4.29. (el problema también se conoce como ZDI-CAN-10780)

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.

*Credits: Manfred Paul, Anatoly Trosinenko
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-02-10 CVE Reserved
  • 2020-03-30 CVE Published
  • 2020-05-12 First Exploit
  • 2023-03-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-125: Out-of-bounds Read
  • CWE-787: Out-of-bounds Write
CAPEC
References (17)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Netapp
Search vendor "Netapp"
A700s Firmware
Search vendor "Netapp" for product "A700s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
A700s
Search vendor "Netapp" for product "A700s"
--
Safe
Netapp
Search vendor "Netapp"
8300 Firmware
Search vendor "Netapp" for product "8300 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
8300
Search vendor "Netapp" for product "8300"
--
Safe
Netapp
Search vendor "Netapp"
8700 Firmware
Search vendor "Netapp" for product "8700 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
8700
Search vendor "Netapp" for product "8700"
--
Safe
Netapp
Search vendor "Netapp"
A400 Firmware
Search vendor "Netapp" for product "A400 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
A400
Search vendor "Netapp" for product "A400"
--
Safe
Netapp
Search vendor "Netapp"
A320 Firmware
Search vendor "Netapp" for product "A320 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
A320
Search vendor "Netapp" for product "A320"
--
Safe
Netapp
Search vendor "Netapp"
C190 Firmware
Search vendor "Netapp" for product "C190 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
C190
Search vendor "Netapp" for product "C190"
--
Safe
Netapp
Search vendor "Netapp"
A220 Firmware
Search vendor "Netapp" for product "A220 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
A220
Search vendor "Netapp" for product "A220"
--
Safe
Netapp
Search vendor "Netapp"
Fas2720 Firmware
Search vendor "Netapp" for product "Fas2720 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
Fas2720
Search vendor "Netapp" for product "Fas2720"
--
Safe
Netapp
Search vendor "Netapp"
Fas2750 Firmware
Search vendor "Netapp" for product "Fas2750 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
Fas2750
Search vendor "Netapp" for product "Fas2750"
--
Safe
Netapp
Search vendor "Netapp"
A800 Firmware
Search vendor "Netapp" for product "A800 Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
A800
Search vendor "Netapp" for product "A800"
--
Safe
Netapp
Search vendor "Netapp"
H300s Firmware
Search vendor "Netapp" for product "H300s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H300s
Search vendor "Netapp" for product "H300s"
--
Safe
Netapp
Search vendor "Netapp"
H500s Firmware
Search vendor "Netapp" for product "H500s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H500s
Search vendor "Netapp" for product "H500s"
--
Safe
Netapp
Search vendor "Netapp"
H700s Firmware
Search vendor "Netapp" for product "H700s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H700s
Search vendor "Netapp" for product "H700s"
--
Safe
Netapp
Search vendor "Netapp"
H300e Firmware
Search vendor "Netapp" for product "H300e Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H300e
Search vendor "Netapp" for product "H300e"
--
Safe
Netapp
Search vendor "Netapp"
H500e Firmware
Search vendor "Netapp" for product "H500e Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H500e
Search vendor "Netapp" for product "H500e"
--
Safe
Netapp
Search vendor "Netapp"
H700e Firmware
Search vendor "Netapp" for product "H700e Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H700e
Search vendor "Netapp" for product "H700e"
--
Safe
Netapp
Search vendor "Netapp"
H410s Firmware
Search vendor "Netapp" for product "H410s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H410s
Search vendor "Netapp" for product "H410s"
--
Safe
Netapp
Search vendor "Netapp"
H610c Firmware
Search vendor "Netapp" for product "H610c Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H610c
Search vendor "Netapp" for product "H610c"
--
Safe
Netapp
Search vendor "Netapp"
H610s Firmware
Search vendor "Netapp" for product "H610s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H610s
Search vendor "Netapp" for product "H610s"
--
Safe
Netapp
Search vendor "Netapp"
H615c Firmware
Search vendor "Netapp" for product "H615c Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H615c
Search vendor "Netapp" for product "H615c"
--
Safe
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.4.7 < 5.4.29
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.7 < 5.4.29"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.5.0 < 5.5.14
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5.0 < 5.5.14"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.6 < 5.6.1
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.6.1"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
30
Search vendor "Fedoraproject" for product "Fedora" and version "30"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
31
Search vendor "Fedoraproject" for product "Fedora" and version "31"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
32
Search vendor "Fedoraproject" for product "Fedora" and version "32"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
19.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10"
-
Affected
Netapp
Search vendor "Netapp"
Cloud Backup
Search vendor "Netapp" for product "Cloud Backup"
--
Affected
Netapp
Search vendor "Netapp"
Hci Management Node
Search vendor "Netapp" for product "Hci Management Node"
--
Affected
Netapp
Search vendor "Netapp"
Solidfire
Search vendor "Netapp" for product "Solidfire"
--
Affected
Netapp
Search vendor "Netapp"
Steelstore Cloud Integrated Storage
Search vendor "Netapp" for product "Steelstore Cloud Integrated Storage"
--
Affected