CVE-2022-0175

Ubuntu Security Notice USN-5309-1

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.

Se encontró un fallo en VirGL virtual OpenGL renderer (virglrenderer). El virgl no inicializaba apropiadamente la memoria cuando asignaba un recurso de memoria respaldado por el host. Un huésped malicioso podría usar este fallo para hacer un mapa del núcleo del huésped y leer esta memoria no inicializada del anfitrión, lo que posiblemente conllevaría a una divulgación de información.

It was discovered that virglrenderer incorrectly handled memory. An attacker inside a guest could use this issue to cause virglrenderer to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that virglrenderer incorrectly initialized memory. An attacker inside a guest could possibly use this issue to obtain sensitive host information.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-10 CVE Reserved
2022-03-01 CVE Published
2024-08-02 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-909: Missing Initialization of Resource

CAPEC

References (6)

URL	Tag	Source
https://access.redhat.com/security/cve/CVE-2022-0175	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2039003	2022-11-08
https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c	2022-11-08
https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654	2022-11-08
https://security-tracker.debian.org/tracker/CVE-2022-0175	2022-11-08

URL	Date	SRC
https://security.gentoo.org/glsa/202210-05	2022-11-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Virglrenderer Project Search vendor "Virglrenderer Project"		Virglrenderer Search vendor "Virglrenderer Project" for product "Virglrenderer"				0.9.0 Search vendor "Virglrenderer Project" for product "Virglrenderer" and version "0.9.0"		-		Affected
Virglrenderer Project Search vendor "Virglrenderer Project"		Virglrenderer Search vendor "Virglrenderer Project" for product "Virglrenderer"				0.9.1 Search vendor "Virglrenderer Project" for product "Virglrenderer" and version "0.9.1"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		advanced_virtualization		Affected