Improper Validation of Array Index in Linux kernel

#VU63316 Improper Validation of Array Index in Linux kernel

Cybersecurity Help s.r.o.

Published: 2022-05-17

Vulnerability identifier: #VU63316

Vulnerability risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-27223

CWE-ID: CWE-129

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description
The vulnerability allows a remote attacker to execute arbitrary code with elevated privileges.

The vulnerability exists due to improper validation of array index in drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel. A remote attacker can send specially crafted data to the system and execute arbitrary code with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: 5.16.1 - 5.16.11

External links
http://github.com/torvalds/linux/commit/7f14c7227f342d9932f9b918893c8814f86d2a0d
http://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.12
http://security.netapp.com/advisory/ntap-20220419-0001/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for kernel

Multiple vulnerabilities in Dell CloudLink

Ubuntu update for linux

Ubuntu update for linux-oem-5.14

openEuler update for kernel

SUSE update for the Linux Kernel