CVE-2022-26365

Published: Jul 5, 2022Modified: Nov 21, 2024

7.1

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Exploitability: 1.8 / Impact: 5.2

Source: NVD

Description

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

Affected (22)

Products: Linux: Linux Kernel · Xen: Xen · Debian: Debian Linux · +1 more

Show all products

Linux: Linux Kernel · Xen: Xen · Debian: Debian Linux · Fedoraproject: Fedora

1 product

1 product

1 product

1 product

Configuration A

18 vulnerable

Vulnerable Software	Affected Versions
Linux Linux Kernel	From 2.6.13 to 4.9.322
Linux Linux Kernel	From 4.14 to 4.14.287
Linux Linux Kernel	From 4.19 to 4.19.251
Linux Linux Kernel	From 5.10 to 5.10.129
Linux Linux Kernel	From 5.15 to 5.15.53
Linux Linux Kernel	From 5.18 to 5.18.10
Linux Linux Kernel	From 5.4 to 5.4.204
Linux Linux Kernel	Version 2.6.12 rc2
Linux Linux Kernel	Version 2.6.12 rc3
Linux Linux Kernel	Version 2.6.12 rc4
Linux Linux Kernel	Version 2.6.12 rc5
Linux Linux Kernel	Version 2.6.12 rc6
Linux Linux Kernel	Version 5.19 rc1
Linux Linux Kernel	Version 5.19 rc2
Linux Linux Kernel	Version 5.19 rc3
Linux Linux Kernel	Version 5.19 rc4
Linux Linux Kernel	Version 5.19 rc5
Xen Xen	All versions

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 35
Fedoraproject Fedora	Version 36

Related CWEs

Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References (14)

http://www.openwall.com/lists/oss-security/2022/07/05/6

Source: security@xen.org

Mailing ListPatchThird Party Advisory

http://xenbits.xen.org/xsa/advisory-403.html

Source: security@xen.org

PatchVendor Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html

Source: security@xen.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGFTRZ66KQYTSYIRT5FRHF5D6O72NWOP/

Source: security@xen.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/

Source: security@xen.org

https://www.debian.org/security/2022/dsa-5191

Source: security@xen.org

Third Party Advisory

https://xenbits.xenproject.org/xsa/advisory-403.txt

Source: security@xen.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2022/07/05/6

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchThird Party Advisory

http://xenbits.xen.org/xsa/advisory-403.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGFTRZ66KQYTSYIRT5FRHF5D6O72NWOP/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.debian.org/security/2022/dsa-5191

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://xenbits.xenproject.org/xsa/advisory-403.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.