#VU63856 Type conversion in Linux kernel - CVE-2022-0322

Cybersecurity Help s.r.o.

Published: 2022-05-31

Vulnerability identifier: #VU63856

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-0322

CWE-ID: CWE-704

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to a type conversion error in the sctp_make_strreset_req() function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel. A local user can perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Linux kernel: before 5.15, 5.15

External links
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2d859e3fc97e79d907761550dbc03ff1b36479c
https://bugzilla.redhat.com/show_bug.cgi?id=2042822

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 20.03 LTS SP3 update for kernel

openEuler 20.03 LTS SP1 update for kernel

Multiple vulnerabilities in Red Hat Migration Toolkit for Containers (MTC)

Multiple vulnerabilities in Red Hat Advanced Cluster Management 2.3

Multiple vulnerabilities in Red Hat Advanced Cluster Management 2.4

Anolis OS update for kernel

Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2

Multiple vulnerabilities in Migration Toolkit for Containers 1.6

Red Hat Enterprise Linux 8 update for kernel

Red Hat Enterprise Linux 8 update for kernel-rt