#VU64793 Buffer Over-read in Linux kernel
Vulnerability identifier: #VU64793
Vulnerability risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-126
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user with physical access to perform a denial of service attack.
The vulnerability exists due to an out-of-bounds (OOB) memory access flaw in fbcon_get_font() function in drivers/video/fbdev/core/fbcon.c in fbcon driver module in the Linux kernel. A local user with special user privilege and with physical access can gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Linux kernel:
External links
http://bugzilla.suse.com/show_bug.cgi?id=1178886
http://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.8.15
http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5af08640795b2b9a940c9266c0260455377ae262
http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6735b4632def0640dbdf4eb9f99816aca18c4f16
http://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
