Buffer overflow in Linux kernel block

1) Buffer overflow

EUVDB-ID: #VU104891

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-49147

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the blk_alloc_ext_minor() function in block/genhd.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.17 - 5.17.1

CPE2.3

• cpe:2.3:o:linux_foundation:linux_kernel:5.17:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc1:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc2:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc3:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc4:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc5:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc6:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc7:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc8:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:5.17:rc9:*:*:*:*:*:*

External links

https://git.kernel.org/stable/c/0f8cf8f5ccbad25ed6828875b222dbab29d5c272
https://git.kernel.org/stable/c/5b9ac3727e4abb11c9cfbe9c0781fc05dfdd7cfb
https://git.kernel.org/stable/c/d1868328dec5ae2cf210111025fcbc71f78dd5ca
https://git.kernel.org/stable/c/fbe2cc4525480ddd20c866bb5c0578071e01451a
https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.2

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.