Vulnerability Details : CVE-2022-42895

There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url

Published 2022-11-23 15:15:11

Updated 2023-01-23 18:29:24

Source Google Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-42895

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 19 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-42895

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.1	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	1.4	3.6	cve-coordination@google.com
Attack Vector: Local Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
6.5	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	nvd@nist.gov
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2022-42895

CWE-824 Access of Uninitialized Pointer

The product accesses or uses a pointer that has not been initialized.
Assigned by:
- cve-coordination@google.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2022-42895

https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e

Bluetooth: L2CAP: Fix attempting to access uninitialized memory · torvalds/linux@b1a2cd5 · GitHub
Patch;Third Party Advisory
https://kernel.dance/#b1a2cd50c0357f243b7435a732b4e62ba3157a2e

🐧🕺
Patch;Third Party Advisory

Products affected by CVE-2022-42895

Linux » Linux Kernel » Version: N/A
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Matching versions