#VU63164 Double Free


Published: 2022-05-13

Vulnerability identifier: #VU63164

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-28390

CWE-ID: CWE-415

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to execute arbitrary code with elevated privileges.

The vulnerability exists due to boundary error in ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c. A local user can pass specially crafted data to the application, trigger double free error and execute arbitrary code with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: All versions


CPE

External links
http://github.com/torvalds/linux/commit/c70222752228a62135cee3409dccefd494a24646
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LAWC35TO642FOP3UCA3C6IF7NAUFOVZ6/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFMPUI3WI4U2F7ONHRW36WDY4ZE7LGGT/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IHHC455LMSJNG4CSZ5CEAHYWY2DE5YW/
http://www.debian.org/security/2022/dsa-5127


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability