Missing initialization of resource in Linux kernel

#VU61211 Missing initialization of resource in Linux kernel

Published: 2022-03-09

Vulnerability identifier: #VU61211

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-24448

CWE-ID: CWE-909

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor:

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to missing initialization of resource within the fs/nfs/dir.c in the Linux kernel. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ac795161c93699d600db16c1a8cc23a65a1eceaf
http://www.spinics.net/lists/stable/msg531976.html
http://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.5
http://github.com/torvalds/linux/commit/ac795161c93699d600db16c1a8cc23a65a1eceaf

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Spectrum Protect Plus

Multiple vulnerabilities in OpenShift Logging 5.5

Multiple vulnerabilities in Openshift Logging 5.3

Red Hat Enterprise Linux 9 update for kernel

Red Hat Enterprise Linux 9 update for kernel-rt

Red Hat Enterprise Linux 8 update for kernel-rt

Red Hat Enterprise Linux 8 update for kernel

Multiple vulnerabilities in DELL Secure Connect Gateway Security

SUSE update for the Linux Kernel