Integer overflow in Jetson AGX Xavier series and Jetson Xavier NX

#VU62606 Integer overflow in Jetson AGX Xavier series and Jetson Xavier NX

Published: 2022-04-26

Vulnerability identifier: #VU62606

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-28197

CWE-ID: CWE-190

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Jetson AGX Xavier series
Hardware solutions / Firmware
Jetson Xavier NX
Hardware solutions / Firmware

Vendor: nVidia

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow in the Cboot ext4_mount function. A local user can trigger an integer overflow and execute arbitrary code with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jetson AGX Xavier series: 31.1 - 32.7.1

Jetson Xavier NX: 31.1 - 32.7.1

CPE

cpe:2.3:h:nvidia:jetson_agx_xavier_series:32.7.1:*:*:*:*:*:*:*

External links
http://nvidia.custhelp.com/app/answers/detail/a_id/5343

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in NVIDIA Jetson Linux Driver Package