#VU65297 Double Free in Linux kernel - CVE-2022-34494


Vulnerability identifier: #VU65297

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-34494

CWE-ID: CWE-415

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the rpmsg_virtio_add_ctrl_dev() function in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel remote processor messaging (rpmsg) framework. A local user can run a specially crafted program to trigger a double free error and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://github.com/torvalds/linux/commit/1680939e9ecf7764fba8689cfb3429c2fe2bb23c
http://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.18.4

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Amazon Linux AMI update for kernel
Multiple vulnerabilities in Google Pixel (December 2022)
Ubuntu update for linux-ibm
Ubuntu update for linux-intel-iotg
Ubuntu update for linux-gke-5.15
Ubuntu update for linux-gcp-5.15
Ubuntu update for linux-oracle
Ubuntu update for linux-gkeop
Ubuntu update for linux-gcp
Ubuntu update for linux