In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, leaking kernel heap memory contents. Add the missing memset_after() call, matching build_expire().
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
NVD-CWE-noinfo
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f6280> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f7900> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f5b40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6a7800> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc9f71c0> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdd6a5940> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdc9f7880> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdd6a7d00> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdc9f46c0> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdd6a4140> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b83a6fe00> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdc9f7ec0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdc3f4ec0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd6a4180> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd6a5780> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdc9f5a80> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdc9f5a00> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |