CVE-2009-3228Missing Initialization of Resource in Kernel

CWE-909Missing Initialization of ResourceCWE-401Missing Release of Memory after Effective Lifetime5 documents5 sources
Severity
2.1LOWNVD
EPSS
0.1%
top 77.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Linux KernelCanonical Ubuntu LinuxRedhat Enterprise Linux Desktop+3 more
Timeline
PublishedOct 19
Latest updateMay 2

Description

The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages4 packages

NVDlinux/linux_kernel2.4.02.4.37.6+2

Also affects: Ubuntu Linux 6.06, 8.04, 8.10, 9.04, 9.10, Enterprise Linux 5.4

Patches

Patch: patchwork.ozlabs.orgPatch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

1
GHSA
GHSA-53hx-f3mf-p54c: The tc_fill_tclass function in net/sched/sch_api2022-05-02

📋Vendor Advisories

2
Ubuntu
Linux kernel vulnerabilities2009-12-05
Red Hat
kernel: tc: uninitialised kernel memory leak2009-09-02

💬Community

1
Bugzilla
CVE-2009-3228 kernel: tc: uninitialised kernel memory leak2009-09-03