#VU61392 Memory leak in Linux kernel - CVE-2022-0742

Cybersecurity Help s.r.o.

Published: 2022-03-15

Vulnerability identifier: #VU61392

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-0742

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor:

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak within igmp6_event_query() and igmp6_event_report() functions in Linux kernel when handling ICMPv6 packets. A remote attacker can flood the system with ICMPv6 messages of type 130 and 131 to cause out-of-memory condition and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2d3916f3189172d5c69d33065c3c21119fe539fc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for kernel

Slackware Linux update for Slackware 15.0 kernel

Ubuntu update for linux-azure-5.13

Ubuntu update for linux-intel-5.13

Ubuntu update for linux-oem-5.14

Ubuntu update for linux

Denial of service in Linux kernel ICMPv6