CVE-2022-0742 : Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attack

Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attacker to DoS a host by making it go out-of-memory via icmp6 packets of type 130 or 131. We recommend upgrading past commit 2d3916f3189172d5c69d33065c3c21119fe539fc.

Published 2022-03-18 12:15:08

Updated 2023-01-20 14:22:51

Source Google Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2022-0742

Linux » Linux Kernel
Versions from including (>=) 5.13 and before (<) 5.15.27
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.16 and before (<) 5.16.13
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 5.17 Update RC1
cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 5.17 Update RC2
cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 5.17 Update RC3
cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 5.17 Update RC4
cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 5.17 Update RC5
cpe:2.3:o:linux:linux_kernel:5.17:rc5:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 5.17 Update RC6
cpe:2.3:o:linux:linux_kernel:5.17:rc6:*:*:*:*:*:*
Matching versions
Netapp » H410c Firmware » Version: N/A
cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H410c » Version: N/A
Netapp » H300s Firmware » Version: N/A
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H300s » Version: N/A
Netapp » H500s Firmware » Version: N/A
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H500s » Version: N/A
Netapp » H700s Firmware » Version: N/A
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H700s » Version: N/A
Netapp » H300e Firmware » Version: N/A
cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H300e » Version: N/A
Netapp » H500e Firmware » Version: N/A
cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H500e » Version: N/A
Netapp » H700e Firmware » Version: N/A
cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H700e » Version: N/A
Netapp » H410s Firmware » Version: N/A
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H410s » Version: N/A
Netapp » Aff 8300 Firmware » Version: N/A
cpe:2.3:o:netapp:aff_8300_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Aff 8300 » Version: N/A
Netapp » Aff 8700 Firmware » Version: N/A
cpe:2.3:o:netapp:aff_8700_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Aff 8700 » Version: N/A
Netapp » Fas 8300 Firmware » Version: N/A
cpe:2.3:o:netapp:fas_8300_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Fas 8300 » Version: N/A
Netapp » Fas 8700 Firmware » Version: N/A
cpe:2.3:o:netapp:fas_8700_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Fas 8700 » Version: N/A
Netapp » A400 Firmware » Version: N/A
cpe:2.3:o:netapp:a400_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » A400 » Version: N/A

Threat overview for CVE-2022-0742

Top countries where our scanners detected CVE-2022-0742

Top open port discovered on systems with this issue 5001

IPs affected by CVE-2022-0742 623

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2022-0742!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2022-0742

EPSS FAQ

0.57%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 66 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-0742

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.8	HIGH	AV:N/AC:L/Au:N/C:N/I:N/A:C	10.0	6.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H	3.9	5.2	Google Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-0742

CWE-275

Assigned by: cve-coordination@google.com (Secondary)
CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-0742

https://security.netapp.com/advisory/ntap-20220425-0001/

CVE-2022-0742 Linux Kernel Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2d3916f3189172d5c69d33065c3c21119fe539fc

kernel/git/torvalds/linux.git - Linux kernel source tree
Patch;Vendor Advisory
https://www.openwall.com/lists/oss-security/2022/03/15/3

oss-security - CVE-2022-0742: Remote Denial of Service on Linux Kernel >=5.13 icmp6
Mailing List;Third Party Advisory