| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-33744 |
|
|
DoS |
2022-07-05 |
2022-10-29 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. |
|
2 |
CVE-2022-24448 |
909 |
|
|
2022-02-04 |
2022-05-12 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. |
|
3 |
CVE-2021-28964 |
362 |
|
DoS |
2021-03-22 |
2022-06-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc. |
|
4 |
CVE-2021-26932 |
|
|
|
2021-02-17 |
2022-07-28 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c. |
|
5 |
CVE-2021-26931 |
770 |
|
|
2021-02-17 |
2022-06-04 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c. |
|
6 |
CVE-2021-4095 |
476 |
|
DoS |
2022-03-10 |
2022-07-28 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a KVM_XEN_HVM_SET_ATTR ioctl. This flaw affects Linux kernel versions prior to 5.17-rc1. |
|
7 |
CVE-2021-3753 |
125 |
|
|
2022-02-16 |
2022-12-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE). The highest threat from this vulnerability is to data confidentiality. |
|
8 |
CVE-2020-27170 |
203 |
|
+Info |
2021-03-20 |
2022-07-30 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit. |
|
9 |
CVE-2020-25656 |
416 |
|
|
2020-12-02 |
2022-10-25 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality. |
|
10 |
CVE-2020-25284 |
863 |
|
|
2020-09-13 |
2022-04-28 |
1.9 |
None |
Local |
Medium |
Not required |
None |
Partial |
None |
|
The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe. |
|
11 |
CVE-2020-24587 |
327 |
|
|
2021-05-11 |
2022-07-12 |
1.8 |
None |
Local Network |
High |
Not required |
Partial |
None |
None |
|
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. |
|
12 |
CVE-2020-12114 |
362 |
|
DoS |
2020-05-04 |
2021-06-14 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter. |
|
13 |
CVE-2020-10767 |
|
|
|
2020-09-15 |
2020-09-23 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality. |
|
14 |
CVE-2019-19965 |
476 |
|
|
2019-12-25 |
2022-03-31 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5. |
|
15 |
CVE-2019-19039 |
532 |
|
+Info |
2019-11-21 |
2022-04-29 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
** DISPUTED ** __btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because “1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So it's really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case.” |
|
16 |
CVE-2019-18660 |
200 |
|
+Info |
2019-11-27 |
2020-01-28 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. |
|
17 |
CVE-2019-11191 |
362 |
|
Bypass |
2019-04-12 |
2019-06-17 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
** DISPUTED ** The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported. |
|
18 |
CVE-2019-3901 |
667 |
|
Bypass |
2019-04-22 |
2023-02-12 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8. |
|
19 |
CVE-2019-3016 |
362 |
|
|
2020-01-31 |
2020-06-10 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out. |
|
20 |
CVE-2018-19854 |
200 |
|
+Info |
2018-12-04 |
2019-11-06 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
An issue was discovered in the Linux kernel before 4.19.3. crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option). |
|
21 |
CVE-2017-18224 |
362 |
|
DoS |
2018-03-12 |
2018-05-03 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
In the Linux kernel before 4.15, fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allows local users to cause a denial of service (BUG) by modifying a certain e_cpos field. |
|
22 |
CVE-2017-18203 |
362 |
|
DoS |
2018-02-27 |
2018-06-20 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices. |
|
23 |
CVE-2017-17449 |
200 |
|
+Info |
2017-12-07 |
2018-05-31 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system. |
|
24 |
CVE-2017-16911 |
200 |
|
+Info |
2018-01-31 |
2018-08-24 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP. |
|
25 |
CVE-2016-6156 |
362 |
|
DoS |
2016-08-06 |
2016-11-28 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Race condition in the ec_device_ioctl_xcmd function in drivers/platform/chrome/cros_ec_dev.c in the Linux kernel before 4.7 allows local users to cause a denial of service (out-of-bounds array access) by changing a certain size value, aka a "double fetch" vulnerability. |
|
26 |
CVE-2016-6136 |
362 |
|
Bypass |
2016-08-06 |
2018-01-05 |
1.9 |
None |
Local |
Medium |
Not required |
None |
Partial |
None |
|
Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a "double fetch" vulnerability. |
|
27 |
CVE-2016-6130 |
362 |
|
+Info |
2016-07-03 |
2016-11-28 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel before 4.6 allows local users to obtain sensitive information from kernel memory by changing a certain length value, aka a "double fetch" vulnerability. |
|
28 |
CVE-2015-8839 |
362 |
|
DoS |
2016-05-02 |
2020-10-02 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local users to cause a denial of service (disk corruption) by writing to a page that is associated with a different user's file after unsynchronized hole punching and page-fault handling. |
|
29 |
CVE-2015-8569 |
200 |
|
Bypass +Info |
2015-12-28 |
2017-11-04 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application. |
|
30 |
CVE-2015-7884 |
200 |
|
+Info |
2015-12-28 |
2016-12-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application. |
|
31 |
CVE-2015-2830 |
264 |
|
Bypass |
2015-05-27 |
2018-01-05 |
1.9 |
None |
Local |
Medium |
Not required |
None |
Partial |
None |
|
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16. |
|
32 |
CVE-2015-1420 |
362 |
|
Bypass |
2015-03-16 |
2016-12-28 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function. |
|
33 |
CVE-2014-8134 |
|
|
Bypass |
2014-12-12 |
2023-02-13 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value. |
|
34 |
CVE-2014-4652 |
362 |
|
+Info |
2014-07-03 |
2020-08-14 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. |
|
35 |
CVE-2014-3647 |
|
|
DoS |
2014-11-10 |
2023-02-13 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. |
|
36 |
CVE-2014-1446 |
399 |
|
+Info |
2014-01-18 |
2017-08-29 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. |
|
37 |
CVE-2014-1444 |
399 |
|
+Info |
2014-01-18 |
2017-08-29 |
1.7 |
None |
Local |
Low |
??? |
Partial |
None |
None |
|
The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. |
|
38 |
CVE-2013-2898 |
20 |
|
+Info |
2013-09-16 |
2013-10-31 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows physically proximate attackers to obtain sensitive information from kernel memory via a crafted device. |
|
39 |
CVE-2013-2636 |
399 |
|
+Info |
2013-03-22 |
2013-04-05 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. |
|
40 |
CVE-2013-2635 |
399 |
|
+Info |
2013-03-22 |
2014-02-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. |
|
41 |
CVE-2013-2634 |
399 |
|
+Info |
2013-03-22 |
2014-02-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. |
|
42 |
CVE-2013-1958 |
264 |
|
Bypass |
2013-04-24 |
2023-02-13 |
1.9 |
None |
Local |
Medium |
Not required |
None |
Partial |
None |
|
The scm_check_creds function in net/core/scm.c in the Linux kernel before 3.8.6 does not properly enforce capability requirements for controlling the PID value associated with a UNIX domain socket, which allows local users to bypass intended access restrictions by leveraging the time interval during which a user namespace has been created but a PID namespace has not been created. |
|
43 |
CVE-2013-0349 |
200 |
|
+Info |
2013-02-28 |
2023-02-13 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call. |
|
44 |
CVE-2012-6549 |
200 |
|
+Info |
2013-03-15 |
2013-08-22 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. |
|
45 |
CVE-2012-6548 |
200 |
|
+Info |
2013-03-15 |
2019-04-22 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. |
|
46 |
CVE-2012-6547 |
200 |
|
+Info |
2013-03-15 |
2013-08-22 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. |
|
47 |
CVE-2012-6546 |
200 |
|
+Info |
2013-03-15 |
2019-04-22 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. |
|
48 |
CVE-2012-6545 |
200 |
|
+Info |
2013-03-15 |
2019-04-22 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. |
|
49 |
CVE-2012-6544 |
200 |
|
+Info |
2013-03-15 |
2019-04-22 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. |
|
50 |
CVE-2012-6543 |
200 |
|
+Info |
2013-03-15 |
2013-03-18 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The l2tp_ip6_getname function in net/l2tp/l2tp_ip6.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. |
