4.9
CVE-2009-3288
- EPSS 0.08%
- Published 22.09.2009 10:30:00
- Last modified 09.04.2025 00:30:58
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device.
Data is provided by the National Vulnerability Database (NVD)
Kernel ≫ Linux Kernel Version2.6.28-rc1
Linux ≫ Linux Kernel Version2.6.31-rc2
Linux ≫ Linux Kernel Version2.6.31-rc3
Linux ≫ Linux Kernel Version2.6.31-rc4
Linux ≫ Linux Kernel Version2.6.31-rc5
Linux ≫ Linux Kernel Version2.6.31-rc6
Linux ≫ Linux Kernel Version2.6.31-rc7
Linux ≫ Linux Kernel Version2.6.31-rc8
Linux ≫ Linux Kernel Version2.6.31-rc9
Linux ≫ Linux Kernel Version2.6.31-rc10
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.08% | 0.196 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 4.9 | 3.9 | 6.9 |
AV:L/AC:L/Au:N/C:N/I:N/A:C
|
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.