CVE-2020-27170 — Observable Discrepancy in Kernel
Severity
4.7MEDIUMNVD
EPSS
0.2%
top 64.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 20
Latest updateMay 24
Description
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.
CVSS vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.0 | Impact: 3.6
Affected Packages2 packages
Also affects: Debian Linux 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 20.04, Fedora 32, 33, 34
Patches
🔴Vulnerability Details
4OSV▶
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2 linux-snapdragon vulnerabilities↗2021-03-29
📋Vendor Advisories
5Microsoft▶
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic leading to side-channel attacks that defeat Spectr↗2021-03-09
Debian▶
CVE-2020-27170: linux - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c...↗2020