Vulnerability-Lookup

alsa-2023:4378

Vulnerability from osv_almalinux

Published

2023-08-01 00:00

Modified

2023-08-08 13:32

Summary

Important: kernel-rt security and bug fix update

Details

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090)
kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt() (CVE-2023-35788)
kernel: KVM: x86/mmu: race condition in direct_page_fault() (CVE-2022-45869)
kernel: speculative pointer dereference in do_prlimit() in kernel/sys.c (CVE-2023-0458)
kernel: Spectre v2 SMT mitigations problem (CVE-2023-1998)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:4378	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-45869	REPORT
	https://access.redhat.com/security/cve/CVE-2023-0458	REPORT
	https://access.redhat.com/security/cve/CVE-2023-1998	REPORT
	https://access.redhat.com/security/cve/CVE-2023-3090	REPORT
	https://access.redhat.com/security/cve/CVE-2023-35788	REPORT
	https://bugzilla.redhat.com/2151317	REPORT
	https://bugzilla.redhat.com/2187257	REPORT
	https://bugzilla.redhat.com/2193219	REPORT
	https://bugzilla.redhat.com/2215768	REPORT
	https://bugzilla.redhat.com/2218672	REPORT
	https://errata.almalinux.org/9/ALSA-2023-4378.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-debug-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-debug-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-debug-kvm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-debug-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-debug-modules-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-debug-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-kvm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-modules-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "kernel-rt-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.0-284.25.1.rt14.310.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* kernel: ipvlan: out-of-bounds write caused by unclear skb-\u003ecb (CVE-2023-3090)\n* kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt() (CVE-2023-35788)\n* kernel: KVM: x86/mmu: race condition in direct_page_fault() (CVE-2022-45869)\n* kernel: speculative pointer dereference in do_prlimit() in kernel/sys.c (CVE-2023-0458)\n* kernel: Spectre v2 SMT mitigations problem (CVE-2023-1998)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2023:4378",
  "modified": "2023-08-08T13:32:55Z",
  "published": "2023-08-01T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:4378"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-45869"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-0458"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-1998"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-3090"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-35788"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2151317"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2187257"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2193219"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2215768"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2218672"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-4378.html"
    }
  ],
  "related": [
    "CVE-2023-3090",
    "CVE-2023-35788",
    "CVE-2022-45869",
    "CVE-2023-0458",
    "CVE-2023-1998"
  ],
  "summary": "Important: kernel-rt security and bug fix update"
}

CVE-2023-0458 (GCVE-0-2023-0458)

Vulnerability from cvelistv5 – Published: 2023-04-26 18:03 – Updated: 2025-02-13 16:38

Title

Spectre V1 Gadget in do_prlimit in the Linux Kernel

Summary

A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Google

References

URL

Tags

	https://git.kernel.org/pub/scm/linux/kernel/git/s…
	https://github.com/torvalds/linux/commit/73979060…
	https://lists.debian.org/debian-lts-announce/2023…
	https://lists.debian.org/debian-lts-announce/2023…

Impacted products

	Vendor	Product	Version
	Linux	Linux Kernel	Affected: 0 , ≤ 6.1.8 (custom)

Date Public ?

2023-01-21 20:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:10:56.346Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/diff/kernel/sys.c?id=v6.1.8\u0026id2=v6.1.7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/torvalds/linux/commit/739790605705ddcf18f21782b9c99ad7d53a8c11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-0458",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-30T21:32:45.608103Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-30T21:32:49.157Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "kernel",
          "product": "Linux Kernel",
          "repo": "https://git.kernel.org",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2023-01-21T20:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the \u0027rlim\u0027 variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit\u0026nbsp;739790605705ddcf18f21782b9c99ad7d53a8c11"
            }
          ],
          "value": "A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the \u0027rlim\u0027 variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit\u00a0739790605705ddcf18f21782b9c99ad7d53a8c11"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-129",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-129 Pointer Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-03T13:06:31.511Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/diff/kernel/sys.c?id=v6.1.8\u0026id2=v6.1.7"
        },
        {
          "url": "https://github.com/torvalds/linux/commit/739790605705ddcf18f21782b9c99ad7d53a8c11"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Spectre V1 Gadget in do_prlimit in the Linux Kernel",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2023-0458",
    "datePublished": "2023-04-26T18:03:11.815Z",
    "dateReserved": "2023-01-24T09:43:28.025Z",
    "dateUpdated": "2025-02-13T16:38:58.312Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3090 (GCVE-0-2023-3090)

Vulnerability from cvelistv5 – Published: 2023-06-28 19:06 – Updated: 2025-03-05 18:55

Title

Out-of-bounds write in Linux kernel's ipvlan network driver

Summary

A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Google

References

URL

Tags

	https://git.kernel.org/pub/scm/linux/kernel/git/t…	patch
	https://kernel.dance/90cbed5247439a966b645b34eb0a…
	https://www.debian.org/security/2023/dsa-5448
	https://lists.debian.org/debian-lts-announce/2023…
	https://security.netapp.com/advisory/ntap-2023073…
	https://www.debian.org/security/2023/dsa-5480
	http://packetstormsecurity.com/files/174577/Kerne…
	http://packetstormsecurity.com/files/175072/Kerne…
	https://lists.debian.org/debian-lts-announce/2023…

Impacted products

	Vendor	Product	Version
	Linux	Kernel	Affected: 3.19 , < 6.4 (custom)

Date Public ?

2023-05-10 09:33

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:41:04.144Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=90cbed5247439a966b645b34eb0a2e037836ea8e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kernel.dance/90cbed5247439a966b645b34eb0a2e037836ea8e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5448"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230731-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5480"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3090",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-05T18:42:13.331109Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-05T18:55:25.596Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "kernel",
          "product": "Kernel",
          "repo": "https://git.kernel.org",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.4",
              "status": "affected",
              "version": "3.19",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "CONFIG_IPVLAN kernel config.\u003cbr\u003e"
            }
          ],
          "value": "CONFIG_IPVLAN kernel config."
        }
      ],
      "datePublic": "2023-05-10T09:33:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe out-of-bounds write is caused by missing skb-\u0026gt;cb  initialization in the ipvlan network driver. The vulnerability is reachable if\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCONFIG_IPVLAN is enabled.\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb-\u003ecb  initialization in the ipvlan network driver. The vulnerability is reachable if\u00a0CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-19T23:07:09.083Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=90cbed5247439a966b645b34eb0a2e037836ea8e"
        },
        {
          "url": "https://kernel.dance/90cbed5247439a966b645b34eb0a2e037836ea8e"
        },
        {
          "url": "https://www.debian.org/security/2023/dsa-5448"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230731-0002/"
        },
        {
          "url": "https://www.debian.org/security/2023/dsa-5480"
        },
        {
          "url": "http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Out-of-bounds write in Linux kernel\u0027s ipvlan network driver",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2023-3090",
    "datePublished": "2023-06-28T19:06:41.221Z",
    "dateReserved": "2023-06-03T22:31:04.130Z",
    "dateUpdated": "2025-03-05T18:55:25.596Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-35788 (GCVE-0-2023-35788)

Vulnerability from cvelistv5 – Published: 2023-06-16 00:00 – Updated: 2025-05-05 15:57

Summary

An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

URL

Tags

	https://www.openwall.com/lists/oss-security/2023/…
	https://git.kernel.org/linus/4d56304e5827c8cc8cc1…
	https://cdn.kernel.org/pub/linux/kernel/v6.x/Chan…
	http://www.openwall.com/lists/oss-security/2023/06/17/1	mailing-list
	https://www.debian.org/security/2023/dsa-5448	vendor-advisory
	https://security.netapp.com/advisory/ntap-2023071…
	https://lists.debian.org/debian-lts-announce/2023…	mailing-list
	https://www.debian.org/security/2023/dsa-5480	vendor-advisory
	http://packetstormsecurity.com/files/174577/Kerne…
	https://lists.debian.org/debian-lts-announce/2023…	mailing-list

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:30:45.365Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2023/06/07/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/linus/4d56304e5827c8cc8cc18c75343d283af7c4825c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.7"
          },
          {
            "name": "[oss-security] 20230617 Re: Linux kernel: off-by-one in fl_set_geneve_opt",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/06/17/1"
          },
          {
            "name": "DSA-5448",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5448"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230714-0002/"
          },
          {
            "name": "[debian-lts-announce] 20230727 [SECURITY] [DLA 3508-1] linux security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html"
          },
          {
            "name": "DSA-5480",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5480"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html"
          },
          {
            "name": "[debian-lts-announce] 20231019 [SECURITY] [DLA 3623-1] linux-5.10 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-35788",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:29:16.172490Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-05T15:57:20.355Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-19T23:07:19.640Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.openwall.com/lists/oss-security/2023/06/07/1"
        },
        {
          "url": "https://git.kernel.org/linus/4d56304e5827c8cc8cc18c75343d283af7c4825c"
        },
        {
          "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.7"
        },
        {
          "name": "[oss-security] 20230617 Re: Linux kernel: off-by-one in fl_set_geneve_opt",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/06/17/1"
        },
        {
          "name": "DSA-5448",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5448"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230714-0002/"
        },
        {
          "name": "[debian-lts-announce] 20230727 [SECURITY] [DLA 3508-1] linux security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html"
        },
        {
          "name": "DSA-5480",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5480"
        },
        {
          "url": "http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html"
        },
        {
          "name": "[debian-lts-announce] 20231019 [SECURITY] [DLA 3623-1] linux-5.10 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-35788",
    "datePublished": "2023-06-16T00:00:00.000Z",
    "dateReserved": "2023-06-16T00:00:00.000Z",
    "dateUpdated": "2025-05-05T15:57:20.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-45869 (GCVE-0-2022-45869)

Vulnerability from cvelistv5 – Published: 2022-11-30 00:00 – Updated: 2025-04-24 18:57

Summary

A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

Assigner

mitre

References

URL

Tags

https://git.kernel.org/pub/scm/linux/kernel/git/t…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:24:03.200Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47b0c2e4c220f2251fd8dcfbb44479819c715e15"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-45869",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-24T18:57:15.701304Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-362",
                "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-24T18:57:20.580Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-30T00:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47b0c2e4c220f2251fd8dcfbb44479819c715e15"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-45869",
    "datePublished": "2022-11-30T00:00:00.000Z",
    "dateReserved": "2022-11-23T00:00:00.000Z",
    "dateUpdated": "2025-04-24T18:57:20.580Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-1998 (GCVE-0-2023-1998)

Vulnerability from cvelistv5 – Published: 2023-04-21 14:51 – Updated: 2025-02-13 16:39

Title

Spectre v2 SMT mitigations problem in Linux kernel

Summary

The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.

Severity ?

5.6 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-1303 - Non-Transparent Sharing of Microarchitectural Resources

Assigner

Google

References

URL

Tags

	https://github.com/google/security-research/secur…
	https://github.com/torvalds/linux/commit/6921ed90…
	https://kernel.dance/#6921ed9049bc7457f66c1596c5b…
	https://lists.debian.org/debian-lts-announce/2023…
	https://lists.debian.org/debian-lts-announce/2023…

Impacted products

	Vendor	Product	Version
	Linux	Linux Kernel	Affected: 0 , < 6.3 (custom)

Date Public ?

2023-04-13 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:05:27.106Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1998",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T20:32:12.930829Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-04T20:32:19.209Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://git.kernel.org/",
          "defaultStatus": "unaffected",
          "modules": [
            "x86/speculation"
          ],
          "packageName": "kernel",
          "platforms": [
            "Linux"
          ],
          "product": "Linux Kernel",
          "repo": "https://git.kernel.org/",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2023-04-13T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.\u003c/p\u003e\u003cp\u003eThis happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.\n\nThis happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-663",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-663 Exploitation of Transient Instruction Execution"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1303",
              "description": "CWE-1303 Non-Transparent Sharing of Microarchitectural Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-03T13:06:44.224Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx"
        },
        {
          "url": "https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d"
        },
        {
          "url": "https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Spectre v2 SMT mitigations problem in Linux kernel",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2023-1998",
    "datePublished": "2023-04-21T14:51:52.907Z",
    "dateReserved": "2023-04-12T09:38:13.899Z",
    "dateUpdated": "2025-02-13T16:39:44.383Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2023:4378

Vulnerability from osv_almalinux

CVE-2023-0458 (GCVE-0-2023-0458)

CVE-2023-3090 (GCVE-0-2023-3090)

CVE-2023-35788 (GCVE-0-2023-35788)

CVE-2022-45869 (GCVE-0-2022-45869)

CVE-2023-1998 (GCVE-0-2023-1998)

Tags

Sightings

Nomenclature