CVE-2009-3612 — Sensitive Information Exposure in Kernel

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

2.1LOWNVD

CNA4.9

EPSS

0.1%

top 77.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Canonical Ubuntu Linux Fedoraproject Fedora +4 more

Timeline

PublishedOct 19

Latest updateNov 21

Description

The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages5 packages

▶NVDlinux/linux_kernel2.6.0 — 2.6.32+2

▶NVDsuse/linux_enterprise_server10

▶NVDsuse/linux_enterprise_desktop10

▶NVDsuse/linux_enterprise_software_development_kit10

▶NVDopensuse/opensuse11.0

Also affects: Ubuntu Linux 6.06, 8.04, 8.10, 9.04, 9.10, Fedora 10

Patches

Patch: patchwork.ozlabs.org ↗Patch: bugzilla.redhat.com ↗Patch: patchwork.ozlabs.org ↗

🔴Vulnerability Details

GHSA

GHSA-vr55-mp4p-wfh2: The tcf_fill_node function in net/sched/cls_api↗2022-05-02

▶

CVEList

CVE-2009-3612: The tcf_fill_node function in net/sched/cls_api↗2009-10-19

▶

📋Vendor Advisories

Ubuntu

Linux kernel vulnerabilities↗2009-12-05

▶

Red Hat

kernel: tcf_fill_node() infoleak due to typo in 9ef1d4c7↗2009-10-08

▶

📄Research Papers

arXiv

Characteristics, Root Causes, and Detection of Incomplete Security Bug Fixes in the Linux Kernel↗2025-11-21

▶

arXiv

Quantifying Information Leak Vulnerabilities↗2010-07-06

▶

💬Community

Bugzilla

CVE-2009-3612 kernel: tcf_fill_node() infoleak due to typo in 9ef1d4c7↗2009-10-14

▶