#VU61211 Missing initialization of resource


Published: 2022-03-09

Vulnerability identifier: #VU61211

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-24448

CWE-ID: CWE-909

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor:

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to missing initialization of resource within the fs/nfs/dir.c in the Linux kernel. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.

Mitigation
Install updates from vendor's website.

Vulnerable software versions


External links
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ac795161c93699d600db16c1a8cc23a65a1eceaf
http://www.spinics.net/lists/stable/msg531976.html
http://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.5
http://github.com/torvalds/linux/commit/ac795161c93699d600db16c1a8cc23a65a1eceaf


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability