Описание
In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.
Отчет
This vulnerability arises from missing bounds checks in xdp_linearize_page(), which can lead to an out-of-bounds read if the virtio-backend provides an invalid buffer length. The issue can be triggered by a malicious or compromised host/hypervisor that controls the virtqueue, resulting in memory disclosure or denial-of-service within the guest kernel. The CVSS vector uses AV:A (Adjacent Network) rather than AV:N, because the attack requires control of the local virtio communication channel between host and guest rather than being launched over an arbitrary external network. This reflects that the threat originates from an adjacent execution environment (e.g., host, co-tenant, or hypervisor component) rather than a remote Internet attacker. The issue is rated PR:H because only privileged control of the virtio-net device (e.g., by the hypervisor or a privileged host process) can supply crafted buffers to reach the flawed code path, making it inaccessible to unprivileged guest users or remote attackers.
Меры по смягчению последствий
To mitigate this issue, prevent module virtio_net from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Not affected | ||
| Red Hat Enterprise Linux 6 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.2 Medium
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.
In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.
virtio-net: ensure the received length does not exceed allocated size
In the Linux kernel, the following vulnerability has been resolved: v ...
In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check.
EPSS
5.2 Medium
CVSS3