CVE-2020-10766
published 2020-09-15CVE-2020-10766: A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to…
PriorityP425medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.46%
36.7th percentile
A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 5.7.6-1 (bookworm) | linux 5.7.6-1 (bookworm) |
| android | — | — | |
| linux | linux_kernel | < 5.8.0 | 5.8.0 |
| linux | linux_kernel | >= 0 < 5.7.6-1 | 5.7.6-1 |
| linux | linux_kernel | >= 0 < 5.7.6-1 | 5.7.6-1 |
| linux | linux_kernel | >= 0 < 5.7.6-1 | 5.7.6-1 |
| linux | linux_kernel | >= 0 < 5.7.6-1 | 5.7.6-1 |
| linux | linux_kernel | >= 0 < 4.4.0-186.216 | 4.4.0-186.216 |
| linux | linux_kernel | >= 0 < 4.15.0-115.116 | 4.15.0-115.116 |
| linux | linux_kernel | >= 0 < 5.4.0-45.49 | 5.4.0-45.49 |
| linux_kernel | kernel | — | — |
| msrc | cm1_kernel_5.4.91-3_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian5.5MEDIUM
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Android
CVE-2020-10766: Speculative execution
vendor_android·2021-01-01·CVSS 5.5
CVE-2020-10766 [MEDIUM] CVE-2020-10766: Speculative execution
Android Security Bulletin 2021-01-01
CVE: CVE-2020-10766
Severity: HIGH
Type: ID
Component: Speculative execution
References: A-169505740
Upstream kernel
Microsoft
A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context
vendor_msrc·2020-09-08·CVSS 5.5
CVE-2020-10766 [MEDIUM] CWE-440 A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context
A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open sour
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2020-09-03·CVSS 5.5
CVE-2019-20810 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Chuhong Yuan discovered that go7007 USB audio device driver in the Linux
kernel did not properly deallocate memory in some failure conditions. A
physically proximate attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2019-20810)
Fan Yang discovered that the mremap implementation in the Linux kernel did
not properly handle DAX Huge Pages. A local attacker with access to DAX
storage could use this to gain administrative privileges. (CVE-2020-10757)
It was discovered that the Linux kernel did not correctly apply Speculative
Store Bypass Disable (SSBD) mitigations in certain situations. A local
attacker could possibly use this to expose sensitive information.
(CV
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2020-09-03·CVSS 7.8
CVE-2018-20669 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Timothy Michaud discovered that the i915 graphics driver in the Linux
kernel did not properly validate user memory locations for the
i915_gem_execbuffer2_ioctl. A local attacker could possibly use this to
cause a denial of service or execute arbitrary code. (CVE-2018-20669)
It was discovered that the Kvaser CAN/USB driver in the Linux kernel did
not properly initialize memory in certain situations. A local attacker
could possibly use this to expose sensitive information (kernel memory).
(CVE-2019-19947)
Chuhong Yuan discovered that go7007 USB audio device driver in the Linux
kernel did not properly deallocate memory in some failure conditions. A
physically proximate attacker could use t
Ubuntu
linux kernel vulnerabilities
vendor_ubuntu·2020-07-31·CVSS 4.1
CVE-2019-16089 [MEDIUM] linux kernel vulnerabilities
Title: linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the network block device (nbd) implementation in the
Linux kernel did not properly check for error conditions in some
situations. An attacker could possibly use this to cause a denial of
service (system crash). (CVE-2019-16089)
It was discovered that the kernel->user space relay implementation in the
Linux kernel did not properly check return values in some situations. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19462)
Chuhong Yuan discovered that go7007 USB audio device driver in the Linux
kernel did not properly deallocate memory in some failure conditions. A
physically proximate attacker could use this to caus
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2020-07-27·CVSS 4.1
CVE-2019-12380 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the network block device (nbd) implementation in the
Linux kernel did not properly check for error conditions in some
situations. An attacker could possibly use this to cause a denial of
service (system crash). (CVE-2019-16089)
It was discovered that the btrfs file system implementation in the Linux
kernel did not properly validate file system metadata in some situations.
An attacker could use this to construct a malicious btrfs image that, when
mounted, could cause a denial of service (system crash). (CVE-2019-19036)
It was discovered that the kernel->user space relay implementation in the
Linux kernel did not properly check return values in some situations. A
lo
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2020-07-27·CVSS 4.6
CVE-2020-10768 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Kvaser CAN/USB driver in the Linux kernel did
not properly initialize memory in certain situations. A local attacker
could possibly use this to expose sensitive information (kernel memory).
(CVE-2019-19947)
Chuhong Yuan discovered that go7007 USB audio device driver in the Linux
kernel did not properly deallocate memory in some failure conditions. A
physically proximate attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2019-20810)
Jason A. Donenfeld discovered that the ACPI implementation in the Linux
kernel did not properly restrict loading SSDT code from an EFI variable. A
privileged attacker could use this to bypass Secure Boot
Red Hat
kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection.
vendor_redhat·2020-06-09·CVSS 5.5
CVE-2020-10766 [MEDIUM] CWE-440 kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection.
kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection.
A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.
A logic bug flaw was found in the Linux kernel’s implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional
Debian
CVE-2020-10766: linux - A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation ...
vendor_debian·2020·CVSS 5.5
CVE-2020-10766 [MEDIUM] CVE-2020-10766: linux - A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation ...
A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.
Scope: local
bookworm: resolved (fixed in 5.7.6-1)
bullseye: resolved (fixed in 5.7.6-1)
forky: resolved (fixed in 5.7.6-1)
sid: resolved (fixed in 5.7.6-1)
trixie: resolved (fixed in 5.7.6-1)
GHSA
GHSA-c87p-h49c-qjmw: A logic bug flaw was found in Linux kernel before 5
ghsa_unreviewed·2022-05-24
CVE-2020-10766 [MEDIUM] GHSA-c87p-h49c-qjmw: A logic bug flaw was found in Linux kernel before 5
A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.
OSV
CVE-2020-10766: In __speculation_ctrl_update of process
osv·2021-01-01
CVE-2020-10766 CVE-2020-10766: In __speculation_ctrl_update of process
In __speculation_ctrl_update of process.c, there is a possible way to disable Speculative Store Bypass Disable due to a logic error, which allows for side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
OSV
CVE-2020-10766: A logic bug flaw was found in Linux kernel before 5
osv·2020-09-15·CVSS 5.5
CVE-2020-10766 [MEDIUM] CVE-2020-10766: A logic bug flaw was found in Linux kernel before 5
A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.
OSV
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
osv·2020-09-03·CVSS 7.8
CVE-2018-20669 [HIGH] linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
Timothy Michaud discovered that the i915 graphics driver in the Linux
kernel did not properly validate user memory locations for the
i915_gem_execbuffer2_ioctl. A local attacker could possibly use this to
cause a denial of service or execute arbitrary code. (CVE-2018-20669)
It was discovered that the Kvaser CAN/USB driver in the Linux kernel did
not properly initialize memory in certain situations. A local attacker
could possibly use this to expose sensitive information (kernel memory).
(CVE-2019-19947)
Chuhong Yuan discovered that go7007 USB audio device driver in the Linux
kernel did not
OSV
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities
osv·2020-09-03·CVSS 5.5
CVE-2019-20810 [MEDIUM] linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities
Chuhong Yuan discovered that go7007 USB audio device driver in the Linux
kernel did not properly deallocate memory in some failure conditions. A
physically proximate attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2019-20810)
Fan Yang discovered that the mremap implementation in the Linux kernel did
not properly handle DAX Huge Pages. A local attacker with access to DAX
storage could use this to gain administrative privileges. (CVE-2020-10757)
It was discovered that the Linux kernel did not correctly apply Speculative
Store Bypass Disable (SSBD) mitigations in certain
OSV
linux-hwe, linux-aws-5.3, linux-azure-5.3, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-oracle-5.3, linux-raspi2-5.3 vulnerabilities
osv·2020-07-31·CVSS 4.1
CVE-2019-16089 [MEDIUM] linux-hwe, linux-aws-5.3, linux-azure-5.3, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-oracle-5.3, linux-raspi2-5.3 vulnerabilities
linux-hwe, linux-aws-5.3, linux-azure-5.3, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-oracle-5.3, linux-raspi2-5.3 vulnerabilities
It was discovered that the network block device (nbd) implementation in the
Linux kernel did not properly check for error conditions in some
situations. An attacker could possibly use this to cause a denial of
service (system crash). (CVE-2019-16089)
It was discovered that the kernel->user space relay implementation in the
Linux kernel did not properly check return values in some situations. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19462)
Chuhong Yuan discovered that go7007 USB audio device driver in the Linux
kernel did not properly deallocate memory in some failure conditions. A
physically proximat
OSV
linux-gke-5.0, linux-oem-osp1 vulnerabilities
osv·2020-07-27·CVSS 4.1
CVE-2019-16089 [MEDIUM] linux-gke-5.0, linux-oem-osp1 vulnerabilities
linux-gke-5.0, linux-oem-osp1 vulnerabilities
It was discovered that the network block device (nbd) implementation in the
Linux kernel did not properly check for error conditions in some
situations. An attacker could possibly use this to cause a denial of
service (system crash). (CVE-2019-16089)
It was discovered that the btrfs file system implementation in the Linux
kernel did not properly validate file system metadata in some situations.
An attacker could use this to construct a malicious btrfs image that, when
mounted, could cause a denial of service (system crash). (CVE-2019-19036)
It was discovered that the kernel->user space relay implementation in the
Linux kernel did not properly check return values in some situations. A
local attacker could possibly use this to cause a denial o
OSV
linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon vulnerabilities
osv·2020-07-27·CVSS 4.6
CVE-2019-19947 [MEDIUM] linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon vulnerabilities
It was discovered that the Kvaser CAN/USB driver in the Linux kernel did
not properly initialize memory in certain situations. A local attacker
could possibly use this to expose sensitive information (kernel memory).
(CVE-2019-19947)
Chuhong Yuan discovered that go7007 USB audio device driver in the Linux
kernel did not properly deallocate memory in some failure conditions. A
physically proximate attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2019-20810)
Jason A. Donenfeld discovered that the ACPI implementation in the Linux
kernel did not properly restrict loading SSDT code from an EFI variable. A
privileged attacker could use this to bypass Secure Boot lockdown
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-10766 kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection. [fedora-all]
bugzilla·2020-06-16·CVSS 5.5
CVE-2020-10766 [MEDIUM] CVE-2020-10766 kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection. [fedora-all]
CVE-2020-10766 kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection. [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fed
Bugzilla
CVE-2020-10766 kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection.
bugzilla·2020-06-10·CVSS 5.5
CVE-2020-10766 [MEDIUM] CVE-2020-10766 kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection.
CVE-2020-10766 kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection.
A logic bug was found in the Linux kernels implementation of SSBD. A bug in the logic handling can allow an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place.
This was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching.
Introduced by:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5bfbe3ad5840d941b89bcac54b821ba14f50a0ba
Discussion:
That makes the CPU vulnerable to Spectre v4.
---
Mitigation:
Mitigation for this issue is either not available or the currently avai
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10766https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dbbe2ad02e9df26e372f38cc3e70dab9222c832ehttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10766https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dbbe2ad02e9df26e372f38cc3e70dab9222c832e
2020-09-15
Published