#VU65360 Type Confusion


Published: 2022-07-21 | Updated: 2022-10-08

Vulnerability identifier: #VU65360

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-34918

CWE-ID: CWE-843

Exploitation vector: Local

Exploit availability: Yes

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists in the Linux kernel’s Netfilter subsystem in the way a user provides incorrect input of the NFT_DATA_VERDICT type. A local user can pass specially crafted data to the application, trigger a type confusion error and escalate privileges on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: All versions


CPE

External links
http://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6
http://www.openwall.com/lists/oss-security/2022/07/02/3
http://lore.kernel.org/netfilter-devel/cd9428b6-7ffb-dd22-d949-d86f4869f452@randorisec.fr/T/#u
http://www.openwall.com/lists/oss-security/2022/07/05/1


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability