In the Linux kernel, the following vulnerability has been resolved:
netfilter: nftables: exthdr: fix 4-byte stack OOB write
If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.
This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.
The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.
Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | kernel | 2024-05-09 17:43 | ALAS-2024-1937 |
Amazon Linux 2 - Core | kernel | 2024-05-09 19:16 | ALAS2-2024-2542 |
Amazon Linux 2 - Kernel-5.10 Extra | kernel | 2023-10-31 00:17 | ALAS2KERNEL-5.10-2023-042 |
Amazon Linux 2 - Kernel-5.15 Extra | kernel | 2023-09-27 22:59 | ALAS2KERNEL-5.15-2023-027 |
Amazon Linux 2 - Kernel-5.4 Extra | kernel | 2024-05-23 23:02 | ALAS2KERNEL-5.4-2024-069 |
Amazon Linux 2023 | kernel | 2023-09-27 21:04 | ALAS2023-2023-356 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |