CVE-2020-12656Missing Release of Memory after Effective Lifetime in Kernel

CWE-401Missing Release of Memory after Effective LifetimeCWE-772Missing Release of Resource after Effective Lifetime13 documents9 sources
Severity
5.5MEDIUMNVD
OSV7.8
EPSS
0.1%
top 70.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Linux KernelCanonical Ubuntu LinuxOpensuse Leap
Timeline
PublishedMay 5
Latest updateMay 24

Description

gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available. It is a problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a privileged operation. A user could also write a kernel module to consume any amount of me

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

Debianlinux/linux_kernel< 5.7.6-1+3
Ubuntulinux/linux_kernel< 4.15.0-115.116+1
NVDlinux/linux_kernel5.6.10
NVDopensuse/leap15.1, 15.2+1

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 20.04

🔴Vulnerability Details

5
GHSA
GHSA-j42j-7596-mcr4: gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch2022-05-24
OSV
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities2020-09-03
OSV
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities2020-09-03
CVEList
CVE-2020-12656: gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch2020-05-05
OSV
CVE-2020-12656: gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch2020-05-05

📋Vendor Advisories

5
Ubuntu
Linux kernel vulnerabilities2020-09-03
Ubuntu
Linux kernel vulnerabilities2020-09-03
Microsoft
gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls leading to a memory leak. Note: This 2020-05-12
Red Hat
kernel: gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation lacks certain domain_release calls, leading to a memory leak.2020-05-05
Debian
CVE-2020-12656: linux - gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 im...2020

💬Community

2
Bugzilla
CVE-2020-12656 kernel: gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation lacks certain domain_release calls, leading to a memory leak.2020-05-07
Bugzilla
CVE-2020-12656 kernel: gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation lacks certain domain_release calls, leading to a memory leak. [fedora-all]2020-05-07
CVE-2020-12656 — Linux Kernel vulnerability | cvebase