7.1
CVE-2022-26365
- EPSS 0.32%
- Veröffentlicht 05.07.2022 13:15:08
- Zuletzt bearbeitet 21.11.2024 06:53:50
- Quelle security@xen.org
- CVE-Watchlists
- Unerledigt
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 2.6.13 < 4.9.322
Linux ≫ Linux Kernel Version >= 4.14 < 4.14.287
Linux ≫ Linux Kernel Version >= 4.19 < 4.19.251
Linux ≫ Linux Kernel Version >= 5.4 < 5.4.204
Linux ≫ Linux Kernel Version >= 5.10 < 5.10.129
Linux ≫ Linux Kernel Version >= 5.15 < 5.15.53
Linux ≫ Linux Kernel Version >= 5.18 < 5.18.10
Linux ≫ Linux Kernel Version2.6.12 Updaterc2
Linux ≫ Linux Kernel Version2.6.12 Updaterc3
Linux ≫ Linux Kernel Version2.6.12 Updaterc4
Linux ≫ Linux Kernel Version2.6.12 Updaterc5
Linux ≫ Linux Kernel Version2.6.12 Updaterc6
Linux ≫ Linux Kernel Version5.19 Updaterc1
Linux ≫ Linux Kernel Version5.19 Updaterc2
Linux ≫ Linux Kernel Version5.19 Updaterc3
Linux ≫ Linux Kernel Version5.19 Updaterc4
Linux ≫ Linux Kernel Version5.19 Updaterc5
Debian ≫ Debian Linux Version10.0
Debian ≫ Debian Linux Version11.0
Fedoraproject ≫ Fedora Version35
Fedoraproject ≫ Fedora Version36
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.32% | 0.24 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.1 | 1.8 | 5.2 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
|
| nvd@nist.gov | 3.6 | 3.9 | 4.9 |
AV:L/AC:L/Au:N/C:P/I:N/A:P
|
CWE-401 Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/
https://www.debian.org/security/2022/dsa-5191
http://www.openwall.com/lists/oss-security/2022/07/05/6
http://xenbits.xen.org/xsa/advisory-403.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGFTRZ66KQYTSYIRT5FRHF5D6O72NWOP/
https://xenbits.xenproject.org/xsa/advisory-403.txt