Vulnerability Details : CVE-2022-43750

drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.

Vulnerability category: Memory Corruption

Published 2022-10-26 04:15:14

Updated 2023-02-14 21:38:48

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-43750

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-43750

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	nvd@nist.gov
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-43750

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-43750

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.15

Release Notes;Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html

[SECURITY] [DLA 3173-1] linux-5.10 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a659daf63d16aa883be42f3f34ff84235c302198

kernel/git/torvalds/linux.git - Linux kernel source tree
Patch;Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html

[SECURITY] [DLA 3245-1] linux security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/torvalds/linux/commit/a659daf63d16aa883be42f3f34ff84235c302198

usb: mon: make mmapped memory read only · torvalds/linux@a659daf · GitHub
Patch;Third Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.0.1

Release Notes;Vendor Advisory

Products affected by CVE-2022-43750

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.10 and before (<) 4.14.296
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 6.0 and before (<) 6.0.1
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.16 and before (<) 5.19.15
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 2.6.21 and before (<) 4.9.331
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.5 and before (<) 5.10.148
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.11 and before (<) 5.15.73
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.15 and before (<) 4.19.262
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.20 and before (<) 5.4.218
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions