#VU90878 Use of uninitialized resource in Linux kernel
Vulnerability identifier: #VU90878
Vulnerability risk: Low
CVSSv3.1: 6.8 [AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-908
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to use of uninitialized resource within the ip_tunnel_rcv() function in net/ipv4/ip_tunnel.c. A local user can execute arbitrary code.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel:
External links
http://git.kernel.org/stable/c/ec6bb01e02cbd47781dd90775b631a1dc4bd9d2b
http://git.kernel.org/stable/c/77fd5294ea09b21f6772ac954a121b87323cec80
http://git.kernel.org/stable/c/5c03387021cfa3336b97e0dcba38029917a8af2a
http://git.kernel.org/stable/c/60044ab84836359534bd7153b92e9c1584140e4a
http://git.kernel.org/stable/c/c4c857723b37c20651300b3de4ff25059848b4b0
http://git.kernel.org/stable/c/f6723d8dbfdc10c784a56748f86a9a3cd410dbd5
http://git.kernel.org/stable/c/ca914f1cdee8a85799942c9b0ce5015bbd6844e1
http://git.kernel.org/stable/c/b0ec2abf98267f14d032102551581c833b0659d3
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
