cbcvebase.
CVE-2009-3002
published 2009-08-28

CVE-2009-3002: The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some…

PriorityP420medium4.9CVSS 2.0
AVLACLAuNCCINAN
EXPLOIT
EPSS
1.03%
59.3th percentile
The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.

Affected

6 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
linuxlinux_kernel< 2.6.312.6.31
linuxlinux_kernel

CVSS provenance

nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:C/I:N/A:N
vendor_redhat4.9MEDIUM
vendor_ubuntu4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.