CVE-2022-33741Sensitive Information Exposure in Kernel

CWE-200Sensitive Information ExposureCWE-401Missing Release of Memory after Effective Lifetime60 documents6 sources
Severity
7.1HIGHNVD
OSV6.7OSV5.5OSV4.4OSV4.3
EPSS
0.0%
top 94.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Linux KernelXENDebian Linux+3 more
Timeline
PublishedJul 5
Latest updateOct 27

Description

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible b

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages6 packages

debiandebian/linux< linux 5.18.14-1 (bookworm)
NVDlinux/linux_kernel2.6.134.9.322+8
Debianlinux/linux_kernel< 5.10.127-2+3
Ubuntulinux/linux_kernel< 4.15.0-194.205+3
debiandebian/xen< linux 5.18.14-1 (bookworm)

Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36

Patches

Patch: www.openwall.comPatch: xenbits.xen.orgPatch: www.openwall.com

🔴Vulnerability Details

32
OSV
linux-azure-fde vulnerabilities2022-10-27
OSV
linux-gcp vulnerabilities2022-10-21
OSV
linux-azure-4.15 vulnerabilities2022-10-18
OSV
linux-azure vulnerabilities2022-10-17
OSV
linux-ibm vulnerabilities2022-10-14

📋Vendor Advisories

24
Ubuntu
Linux kernel (Azure CVM) vulnerabilities2022-10-27
Ubuntu
Linux kernel (GCP) vulnerabilities2022-10-21
Ubuntu
Linux kernel (Azure) vulnerabilities2022-10-18
Ubuntu
Linux kernel (Azure) vulnerabilities2022-10-17
Ubuntu
Linux kernel (IBM) vulnerabilities2022-10-14