CVE-2022-32166 — Out-of-bounds Read in OVS

CWE-125 — Out-of-bounds Read CWE-126 — Buffer Over-read9 documents8 sources

Severity

6.1MEDIUMNVD

EPSS

0.6%

top 29.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

OVS Openvswitch Cloudbase Open Vswitch +1 more

Timeline

PublishedSep 28

Latest updateOct 25

Description

In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read in flow.c. An unsafe comparison of “minimasks” function could lead access to an unmapped region of memory. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:HExploitability: 1.8 | Impact: 4.2

Affected Packages3 packages

▶CVEListV5ovs/ovsv0.90.0 — unspecified+1

▶Debianopenvswitch/openvswitch< 2.13.0+dfsg1-1+3

▶NVDcloudbase/open_vswitch0.90.0 — 2.5.0

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-3q99-mmr6-6chg: In ovs versions v0↗2022-09-29

▶

CVEList

ovs - buffer over-read↗2022-09-28

▶

OSV

CVE-2022-32166: In ovs versions v0↗2022-09-28

▶

📋Vendor Advisories

Ubuntu

Open vSwitch vulnerability↗2022-10-25

▶

Ubuntu

Open vSwitch vulnerability↗2022-10-25

▶

Red Hat

openvswitch: Heap buffer over-read in flow.c↗2022-09-28

▶

Debian

CVE-2022-32166: openvswitch - In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read i...↗2022

▶

💬Community

Bugzilla

CVE-2022-32166 openvswitch: Heap buffer over-read in flow.c↗2022-09-28

▶