CVE-2022-3629

Linux Kernel af_vsock.c vsock_connect memory leak

Severity Score

3.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.

Se ha encontrado una vulnerabilidad en el Kernel de Linux. Ha sido declarada como problemática. Esta vulnerabilidad afecta a la función vsock_connect del archivo net/vmw_vsock/af_vsock.c del componente IPsec. La manipulación conlleva a una pérdida de memoria. Es recomendado aplicar un parche para corregir este problema. VDB-211930 es el identificador asignado a esta vulnerabilidad

In Linux Kernel wurde eine Schwachstelle ausgemacht. Sie wurde als problematisch eingestuft. Es geht um die Funktion vsock_connect der Datei net/vmw_vsock/af_vsock.c. Durch Manipulation mit unbekannten Daten kann eine memory leak-Schwachstelle ausgenutzt werden. Die Komplexität eines Angriffs ist eher hoch. Das Ausnutzen gilt als schwierig. Als bestmögliche Massnahme wird Patching empfohlen.

An update that solves 37 vulnerabilities, contains 25 features and has 38 fixes is now available. The SUSE Linux Enterprise 15-SP4 Azure kernel was updated to receive various security and bug fixes.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Adjacent

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2022-10-21 CVE Reserved
2022-10-21 CVE Published
2025-04-23 CVE Updated
2025-06-01 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (2)

URL	Tag	Source
https://vuldb.com/?id.211930	Technical Description

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git/commit/?id=7e97cfed9929eaabc41829c395eb0d1350fccb9d	2024-05-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				-		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected