Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2022-42432

Public on 2023-03-29
Modified on 2024-01-12
Description

This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nft_osf_eval function. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-18540.

Severity
Medium
See what this means
CVSS v3 Base Score
4.1
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Kernel-5.10 Extra kernel 2022-10-17 22:06 ALAS2KERNEL-5.10-2022-021
Amazon Linux 2 - Kernel-5.15 Extra kernel 2022-10-17 22:06 ALAS2KERNEL-5.15-2022-009
Amazon Linux 2 - Kernel-5.4 Extra kernel 2022-10-17 22:06 ALAS2KERNEL-5.4-2022-037

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.1 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
NVD CVSSv3 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References

Red Hat: CVE-2022-42432 Mitre: CVE-2022-42432 FAQs regarding Amazon Linux ALAS/CVE Severity