CVE-2022-0854 — Sensitive Information Exposure in Linux

CWE-200 — Sensitive Information Exposure CWE-401 — Missing Release of Memory after Effective Lifetime9 documents8 sources

Severity

5.5MEDIUMNVD

OSV4.4

EPSS

0.0%

top 95.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Debian Linux +3 more

Timeline

PublishedMar 23

Latest updateFeb 14

Description

A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages7 packages

▶Debianlinux/linux_kernel< 5.10.120-1+3

▶NVDlinux/linux_kernel5.16+1

▶CVEListV5linux/linux_kernelLinux kernel 5.17-rc8

▶debiandebian/linux< linux 5.17.3-1 (bookworm)

▶msrcmsrc/cbl2_kernel_5.15.37.1-2_on_cbl_mariner_2.0

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

OSV

linux-oem-5.14 vulnerabilities↗2022-04-20

▶

GHSA

GHSA-hjpw-pwwm-fvgm: A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE↗2022-03-24

▶

OSV

CVE-2022-0854: A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE↗2022-03-23

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶

Ubuntu

Linux kernel (OEM) vulnerabilities↗2022-04-20

▶

Microsoft

A memory leak flaw was found in the Linux kernel’s DMA subsystem in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.↗2022-03-08

▶

Red Hat

kernel: swiotlb information leak with DMA_FROM_DEVICE↗2022-03-07

▶

Debian

CVE-2022-0854: linux - A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a u...↗2022

▶