#VU63160 Double Free


Published: 2022-05-13

Vulnerability identifier: #VU63160

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-28388

CWE-ID: CWE-415

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to execute arbitrary code with elevated privileges.

The vulnerability exists due to boundary error in the usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c. A local user can pass specially crafted data to the application, trigger double free error and execute arbitrary code with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: All versions


CPE

External links
http://github.com/torvalds/linux/commit/3d3925ff6433f98992685a9679613a2cc97f3ce2
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LAWC35TO642FOP3UCA3C6IF7NAUFOVZ6/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFMPUI3WI4U2F7ONHRW36WDY4ZE7LGGT/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IHHC455LMSJNG4CSZ5CEAHYWY2DE5YW/
http://www.debian.org/security/2022/dsa-5127


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability