Resource management error in Linux kernel

#VU47075 Resource management error in Linux kernel

Published: 2020-09-16 | Updated: 2020-09-26

Vulnerability identifier: #VU47075

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-10767

CWE-ID: CWE-399

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to gain access to sensitive information.

A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local user to perform a Spectre V2 style attack when this configuration is active.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: 5.0 - 5.7.7

CPE

cpe:2.3:o:linux_foundation:linux_kernel:5.0:*:*:*:*:*:*:*

External links
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10767
http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21998a351512eba4ed5969006f0c55882d995ada

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Information disclosure in Linux kernel

Red Hat Enterprise Linux 8.1 Extended Update Support update for kpatch-patch

Red Hat Enterprise Linux 8.1 Extended Update Support update for kernel

Red Hat Enterprise Linux 8 update for kpatch-patch

Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions update for kernel

Red Hat Enterprise Linux 8 update for kernel-rt

Red Hat Enterprise Linux 8 update for kernel