Missing release of memory after effective lifetime in Linux kernel - CVE-2002-1571
Published: December 31, 2002 / Updated: September 5, 2008
Vulnerability identifier: #VU99980
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2002-1571
CWE-ID: CWE-401
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to gain access to sensitive information.
The linux 2.4 kernel before 2.4.19 assumes that the fninit instruction clears all registers, which could lead to an information leak on processors that do not clear all relevant SSE registers.
How to mitigate CVE-2002-1571
Install update from vendor's repository.
Sources
- http://linux.bkbits.net:8080/linux-2.4/diffs/arch/i386/kernel/i387.c@1.6
- http://search.luky.org/linux-kernel.2002/msg24003.html
- http://search.luky.org/linux-kernel.2002/msg24992.html
- http://www.cs.helsinki.fi/linux/linux-kernel/2002-15/0628.html
- http://www.cs.helsinki.fi/linux/linux-kernel/2002-15/0760.html