Anolis OS update for kernel(ANCK)4.19

1) Memory leak

EUVDB-ID: #VU24433

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-18808

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "ccp_run_sha_cmd()" function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows a local user to cause a denial of service (memory consumption).

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory leak

EUVDB-ID: #VU23023

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-19057

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "mwifiex_pcie_init_evt_ring()" function in "drivers/net/wireless/marvell/mwifiex/pcie.c"  file. A remote attacker on the local network can cause a denial of service condition (memory consumption) by triggering "mwifiex_map_pci_memory()" failures.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory leak

EUVDB-ID: #VU23033

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-19073

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory leak

EUVDB-ID: #VU23029

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-19074

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "ath9k_wmi_cmd()" function in "drivers/net/wireless/ath/ath9k/wmi.c" file. A remote attacker on the local network can cause a denial of service condition (memory consumption).

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory leak

EUVDB-ID: #VU23036

Risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19077

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the "bnxt_re_create_srq()" function in "drivers/infiniband/hw/bnxt_re/ib_verbs.c" file. A local attacker can cause a denial of service condition (memory consumption) by triggering "ib_copy_to_udata()" failures.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper Privilege Management

EUVDB-ID: #VU30542

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19241

CWE-ID: CWE-269 - Improper Privilege Management

Exploit availability: No

The vulnerability allows a local authenticated user to execute arbitrary code.

In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Null pointer dereference

EUVDB-ID: #VU92776

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19462

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Use of uninitialized resource

EUVDB-ID: #VU92774

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19947

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) NULL pointer dereference

EUVDB-ID: #VU90670

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19965

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the sas_get_port_device() function in drivers/scsi/libsas/sas_discover.c. A local user can perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Memory leak

EUVDB-ID: #VU30493

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-20096

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b. A remote attacker can perform a denial of service attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Out-of-bounds write

EUVDB-ID: #VU30312

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-20636

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

The vulnerability allows a local privileged user to execute arbitrary code.

In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) NULL pointer dereference

EUVDB-ID: #VU28180

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-10711

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the Linux kernel's SELinux subsystem when importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated.

A remote attacker can send specially crafted packets the affected system, trigger a NULL pointer dereference error and crash the Linux kernel.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Use of uninitialized resource

EUVDB-ID: #VU92424

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-10732

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

The vulnerability allows a local user to read memory contents or crash the application.

The vulnerability exists due to use of uninitialized resource error within the fill_thread_core_info() function in fs/binfmt_elf.c. A local user can read memory contents or crash the application.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU28290

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-10751

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due in the Linux kernels SELinux LSM hook implementation where the kernel incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Race condition

EUVDB-ID: #VU47074

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-10766

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

A logic bug flaw was found in Linux kernel before 5.8-rc1 in the implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Resource management error

EUVDB-ID: #VU47075

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-10767

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local user to perform a Spectre V2 style attack when this configuration is active.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Input validation error

EUVDB-ID: #VU47076

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-10768

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local authenticated user to gain access to sensitive information.

A flaw was found in the Linux Kernel before 5.8-rc1 in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Resource exhaustion

EUVDB-ID: #VU47050

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-10781

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Stack-based buffer overflow

EUVDB-ID: #VU27309

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-10942

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the get_raw_socket() function in drivers/vhost/net.c due to lack of validation of the sk_family field. A local user can perform a specially crafted system call, trigger stack overflow and crash the kernel.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) NULL pointer dereference

EUVDB-ID: #VU28220

Risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-11608

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in "drivers/media/usb/gspca/ov519.c" file in "ov511_mode_init_regs and ov518_mode_init_regs". A remote authenticated attacker can perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) NULL pointer dereference

EUVDB-ID: #VU28221

Risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-11609

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the stv06xx subsystem in the "drivers/media/usb/gspca/stv06xx/stv06xx.c" and "drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c" files. A remote authenticated attacker can perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) NULL pointer dereference

EUVDB-ID: #VU27875

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-11668

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the drivers/media/usb/gspca/xirlink_cit.c in Xirlink camera USB driver. A local user can pass specially crafted data to the driver and perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Buffer overflow

EUVDB-ID: #VU34414

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-12465

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

The vulnerability allows a local privileged user to execute arbitrary code.

An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Resource exhaustion

EUVDB-ID: #VU28165

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-12655

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in "xfs_agf_verify" in "fs/xfs/libxfs/xfs_alloc.c" file. A local user can use an XFS v5 image with crafted metadata, trigger resource exhaustion and perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Use-after-free

EUVDB-ID: #VU28167

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-12657

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in "block/bfq-iosched.c" file related to "bfq_idle_slice_timer_body". A local user can execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Input validation error

EUVDB-ID: #VU28171

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-12769

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the "drivers/spi/spi-dw.c" file. A local user can cause a panic via concurrent calls to "dw_spi_irq" and "dw_spi_transfer_one" and perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Improper Handling of Exceptional Conditions

EUVDB-ID: #VU28159

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-12888

CWE-ID: N/A

Exploit availability: No

The vulnerability allows a local user to perform a deinal of service (DoS) attack.

The vulnerability exists due to the VFIO PCI driver mishandles attempts to access disabled memory space. A local user can cause a denial of service condition on the target system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Integer overflow

EUVDB-ID: #VU64946

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-13974

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow within drivers/tty/vt/keyboard.c if k_ascii is called several times in a row. A local user can trigger an integer overflow and execute arbitrary code with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Out-of-bounds read

EUVDB-ID: #VU47106

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-14314

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Use-after-free

EUVDB-ID: #VU51544

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-14351

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the perf subsystem. A local user with permission to monitor perf events cam corrupt memory and execute arbitrary code with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Buffer overflow

EUVDB-ID: #VU58841

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-14385

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the file system metadata validator in XFS. A local user can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt and shutdown the the filesystem.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Out-of-bounds write

EUVDB-ID: #VU47051

Risk: Low

CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2020-14386

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: Yes

The vulnerability allows a local privileged user to execute arbitrary code.

A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

33) Use-after-free

EUVDB-ID: #VU30252

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-14416

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

In the Linux kernel before 5.4.16, a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Use-after-free

EUVDB-ID: #VU51897

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-15436

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in fs/block_dev.c in the Linux kernel. A local user can run a specially crafted program to escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Use-after-free

EUVDB-ID: #VU68424

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-16119

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error caused by the reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Use of insufficiently random values

EUVDB-ID: #VU95686

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-16166

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to use of insufficiently random values error within the prandom_state_selftest() function in lib/random32.c, within the update_process_times() function in kernel/time/timer.c, within the add_interrupt_randomness() function in drivers/char/random.c. A remote non-authenticated attacker can gain access to sensitive information.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Cleartext transmission of sensitive information

EUVDB-ID: #VU52058

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-1749

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Buffer overflow

EUVDB-ID: #VU51545

Risk: Low

CVSSv4.0: 4.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25211

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local user to crash the system.

The vulnerability exists due to a boundary error within the ctnetlink_parse_tuple_filter() function in net/netfilter/nf_conntrack_netlink.c. A local user can inject conntrack netlink configuration, trigger buffer overflow and crash the kernel or force usage of incorrect protocol numbers.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Time-of-check Time-of-use (TOCTOU) Race Condition

EUVDB-ID: #VU51433

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25212

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Incorrect authorization

EUVDB-ID: #VU92423

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25284

CWE-ID: CWE-863 - Incorrect Authorization

Exploit availability: No

The vulnerability allows a local privileged user to manipulate data.

The vulnerability exists due to incorrect authorization error within the rbd_config_info_show(), rbd_image_refresh(), do_rbd_add() and do_rbd_remove() functions in drivers/block/rbd.c. A local privileged user can manipulate data.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) NULL pointer dereference

EUVDB-ID: #VU90669

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25285

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to NULL pointer dereference within the allowed_mems_nr(), hugetlb_sysctl_handler_common() and hugetlb_overcommit_handler() functions in mm/hugetlb.c. A local privileged user can execute arbitrary code.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Cleartext transmission of sensitive information

EUVDB-ID: #VU51546

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-25645

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to traffic passed between two Geneve endpoints with configured IPsec can be unencrypted for the specific UDP port. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Use-after-free

EUVDB-ID: #VU51547

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25656

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a use-after-free error in the way the console subsystem uses KDGKBSENT and KDSKBSENT IOCTLs. A local user can run a specially crafted program to trigger an out-of-bounds read and gain access to sensitive information.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Use-after-free

EUVDB-ID: #VU83431

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25668

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local authenticated user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the con_font_op. A local authenticated user can trigger a use-after-free error and escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Memory leak

EUVDB-ID: #VU55258

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25704

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the Linux kernel performance monitoring subsystem when using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Use of insufficiently random values

EUVDB-ID: #VU49150

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2020-25705

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: Yes

The vulnerability allows a remote attacker to gain access to sensitive information.

A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

47) Use-after-free

EUVDB-ID: #VU48967

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-27825

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in kernel/trace/ring_buffer.c in Linux kernel, when trace_open and resize of cpu buffer are running in parallel on different CPUs. A local user can run a specially crafted application and perform a denial of service attack or read contentsof kernel memory.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Path traversal

EUVDB-ID: #VU49914

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-28374

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in drivers/target/target_core_xcopy.c in the Linux kernel. A remote user with access to iSCSI LUN can send a specially crafted XCOPY request and read or write arbitrary files on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Out-of-bounds read

EUVDB-ID: #VU90369

Risk: Medium

CVSSv4.0: 1.8 [CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-28974

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a local privileged user to read and manipulate data.

The vulnerability exists due to an out-of-bounds read error within the con_font_default() and con_font_op() functions in drivers/tty/vt/vt.c. A local privileged user can read and manipulate data.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Race condition

EUVDB-ID: #VU91491

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-29369

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to a race condition within the unmap_region(), detach_vmas_to_be_unmapped() and __do_munmap() functions in mm/mmap.c. A local user can execute arbitrary code.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

51) Race condition

EUVDB-ID: #VU63812

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-29374

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a race condition in the mm/gup.c and mm/huge_memory.c in Linux kernel. A local user can exploit the race and gain unauthorized access to sensitive information.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

52) Improper locking

EUVDB-ID: #VU57039

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-29660

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to double-locking error in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c. An authenticated local user can exploit this vulnerability to perform a read-after-free attack against TIOCGSID and gain access to sensitive information.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Improper locking

EUVDB-ID: #VU51543

Risk: Low

CVSSv4.0: 7.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2020-29661

CWE-ID: CWE-667 - Improper Locking

Exploit availability: Yes

The vulnerability allows a local user to perform a escalate privileges on the system.

The vulnerability exists due to locking error in the tty subsystem of the Linux kernel in drivers/tty/tty_jobctrl.c. An local user can exploit this vulnerability to trigger a use-after-free error against TIOCSPGRP and execute arbitrary code with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

54) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU66811

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-36516

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) or MitM attacks.

The vulnerability exists due to an error in the mixed IPID assignment method with the hash-based IPID assignment policy in Linux kernel. A remote attacker can inject data into a victim's TCP session or terminate that session.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

55) Use-after-free

EUVDB-ID: #VU24834

Risk: Low

CVSSv4.0: 5.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2020-8428

CWE-ID: CWE-416 - Use After Free

Exploit availability: Yes

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the "may_create_in_sticky" in "fs/namei.c". A local user can cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

56) Use-after-free

EUVDB-ID: #VU28415

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8647

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

57) Use-after-free

EUVDB-ID: #VU28416

Risk: Low

CVSSv4.0: 4.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8648

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

58) Use-after-free

EUVDB-ID: #VU28414

Risk: Medium

CVSSv4.0: 1.8 [CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-8649

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

59) Improper Initialization

EUVDB-ID: #VU58208

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-20317

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper initialization the Linux kernel. A corrupted timer tree causes the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. A local user can run a specially crafted application to crash the kernel.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

60) Race condition

EUVDB-ID: #VU59084

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-20321

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attacks.

The vulnerability exists due to a race condition when accessing file object in the Linux kernel OverlayFS subsystem. A local user can rename files in specific way with OverlayFS and perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

61) Use of insufficiently random values

EUVDB-ID: #VU63839

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-20322

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error when processing received ICMP errors. A remote attacker can effectively bypass the source port UDP randomization to gain access to sensitive information.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

62) Out-of-bounds write

EUVDB-ID: #VU56017

Risk: Low

CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear]

CVE-ID: CVE-2021-22555

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: Yes

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing untrusted input in net/netfilter/x_tables.c in Linux kernel. A local user can run a specially crafted program to trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

63) Information disclosure

EUVDB-ID: #VU51453

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-27363

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the show_transport_handle() shows iSCSI transport handle to non-root users. A local user can gain unauthorized access to sensitive information and use it along with another vulnerability, such as #VU51452, to escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

64) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51452

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-27364

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to iscsi_if_recv_msg() allows non-root users to connect and send commands to the Linux kernel. A local user can escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

65) Buffer overflow

EUVDB-ID: #VU51451

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-27365

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing Netlink messages in Linux kernel through 5.11.3, as certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. A local unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message, trigger memory corruption and execute arbitrary code on the system with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

66) Race condition

EUVDB-ID: #VU63573

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-28964

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to a race condition in the get_old_root() function in fs/btrfs/ctree.c component in the Linux kernel. A local user can exploit the race and perform a denial of service attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

67) Resource exhaustion

EUVDB-ID: #VU64830

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-28971

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to mishandling of PEBS status in a PEBS record In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

68) Buffer overflow

EUVDB-ID: #VU56819

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-28972

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the drivers/pci/hotplug/rpadlpar_sysfs.c. A local administrator can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

69) Command Injection

EUVDB-ID: #VU56241

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-29154

CWE-ID: CWE-77 - Command injection

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect computation of branch displacements within the BPF JIT compilers in the Linux kernel in arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. A local user can inject and execute arbitrary commands with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

70) Out-of-bounds read

EUVDB-ID: #VU67490

Risk: Low

CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2021-29155

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism. A local, special user privileged (CAP_SYS_ADMIN) BPF program running on affected systems may bypass the protection, and execute speculatively out-of-bounds loads from the kernel memory.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

71) Race condition

EUVDB-ID: #VU91488

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-29265

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition within the usbip_sockfd_store() function in drivers/usb/usbip/stub_dev.c. A local user can perform a denial of service (DoS) attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

72) Buffer overflow

EUVDB-ID: #VU56240

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-29650

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the netfilter subsystem in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h. A local user can trigger memory corruption upon the assignment of a new table value and cause denial of service.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

73) Out-of-bounds write

EUVDB-ID: #VU63574

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-31916

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module. A special user (CAP_SYS_ADMIN) can trigger a buffer overflow in the ioctl for listing devices and escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

74) Race condition

EUVDB-ID: #VU55257

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-32399

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition  for removal of the HCI controller within net/bluetooth/hci_request.c in the Linux kernel. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

75) Use-after-free

EUVDB-ID: #VU54454

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-33034

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in net/bluetooth/hci_event.c when destroying an hci_chan. A local user can escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

76) Use-after-free

EUVDB-ID: #VU52035

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3347

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to elevate privileges on the system.

The vulnerability exists due to a use-after-free error when handling PI futexes. A local user can run a specially crafted program to trigger a use-after-free error and execute arbitrary code with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

77) Use-after-free

EUVDB-ID: #VU83433

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3348

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local authenticated user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the nbd_add_socket in drivers/block/nbd.c. A local authenticated user can trigger a use-after-free error and escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

78) Type Confusion

EUVDB-ID: #VU64881

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2021-33624

CWE-ID: CWE-843 - Type confusion

Exploit availability: Yes

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a type confusion error within kernel/bpf/verifier.c in the Linux kernel. A an unprivileged BPF program can read arbitrary memory locations via a side-channel attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

79) Integer overflow

EUVDB-ID: #VU55143

Risk: Low

CVSSv4.0: 7.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2021-33909

CWE-ID: CWE-190 - Integer overflow

Exploit availability: Yes

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow during size_t-to-int conversion when creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. An unprivileged local user can write up to 10-byte string to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.

Successful exploitation of vulnerability may allow an attacker to exploit the our-of-bounds write vulnerability to execute arbitrary code with root privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

80) Out-of-bounds read

EUVDB-ID: #VU90368

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3444

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to an out-of-bounds read error within the fixup_bpf_calls() function in kernel/bpf/verifier.c. A local user can execute arbitrary code.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

81) Information disclosure

EUVDB-ID: #VU64203

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-34556

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A local user can gain unauthorized access to sensitive information on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

82) Use of uninitialized resource

EUVDB-ID: #VU55263

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-34693

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

83) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU66477

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-35039

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper signature handling in the kernel/module.c in Linux kernel. If the kernel module is not signed, it still can be loaded into the system via init_module if module.sig_enforce=1 command-line argument is used. As a result, a local user can load unsigned and potentially malicious kernel modules.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

84) Observable discrepancy

EUVDB-ID: #VU92412

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-35477

CWE-ID: CWE-203 - Observable discrepancy

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to observable discrepancy error. A local user can gain access to sensitive information.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

85) Out-of-bounds read

EUVDB-ID: #VU92400

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3600

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to out-of-bounds read error within the fixup_bpf_calls() function in kernel/bpf/verifier.c. A local user can execute arbitrary code.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

86) Race condition

EUVDB-ID: #VU54292

Risk: Medium

CVSSv4.0: 7.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2021-3609

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in the CAN BCM networking protocol (net/can/bcm.c) in the Linux kernel ranging from version 2.6.25 to mainline 5.13-rc6. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

87) Missing initialization of resource

EUVDB-ID: #VU61098

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-3655

CWE-ID: CWE-909 - Missing initialization of resource

Exploit availability: No

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing initialization of resource in the Linux kernel when processing inbound SCTP packets. A remote attacker can send specially crafted SCTP packets to the system and force the kernel to read uninitialized memory.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

88) Resource exhaustion

EUVDB-ID: #VU63664

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3679

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to lack of CPU resource in the Linux kernel tracing module functionality when using trace ring buffer in a specific way. A privileged local user (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

89) Use-after-free

EUVDB-ID: #VU56393

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3715

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem (route4_change() function in net/sched/cls_route.c) in the way it handled changing of classification filters. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

90) Double Free

EUVDB-ID: #VU63575

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-37159

CWE-ID: CWE-415 - Double Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to hso_free_net_device() function in drivers/net/usb/hso.c in the Linux kernel calls unregister_netdev without checking for the NETREG_REGISTERED state. A local user can trigger double free and use-after-free errors and execute arbitrary code with elevated privileges.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

91) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU74548

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3732

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists in the way the user mounts the TmpFS filesystem with OverlayFS. A local user can gain access to hidden files that should not be accessible.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

92) Out-of-bounds read

EUVDB-ID: #VU63913

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3743

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to a boundary condition in the Qualcomm IPC router protocol in the Linux kernel. A local user can gain access to out-of-bounds memory to leak internal kernel information or perform a denial of service attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*

https://anas.openanolis.cn/errata/detail/ANSA-2022:0527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

93) Memory leak

EUVDB-ID: #VU63813

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3744

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a local user to perform DoS attack on the target system.

The vulnerability exists due memory leak in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c. A local user can force the application to leak memory and perform denial of service attack.

Install updates from vendor's repository.

Anolis OS: 7

python-perf: before 4.19.91-26

perf: before 4.19.91-26

kernel-tools-libs-devel: before 4.19.91-26

kernel-tools-libs: before 4.19.91-26

kernel-tools: before 4.19.91-26

kernel-headers: before 4.19.91-26

kernel-devel: before 4.19.91-26

kernel-debug-devel: before 4.19.91-26

kernel-debug: before 4.19.91-26

kernel: before 4.19.91-26

bpftool: before 4.19.91-26

• cpe:2.3:o:openanolis:anolis_os:7:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:python-perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:perf:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools-libs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-tools:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-headers:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug-devel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel-debug:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:kernel:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:bpftool:*:*:*:*:*:anolis_os:*:*