| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-16921 |
665 |
|
+Info |
2019-09-27 |
2019-09-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813. |
|
2 |
CVE-2019-16714 |
200 |
|
+Info |
2019-09-23 |
2019-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized. |
|
3 |
CVE-2019-15902 |
200 |
|
+Info |
2019-09-04 |
2019-10-10 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped. |
|
4 |
CVE-2019-15031 |
200 |
|
+Info |
2019-09-13 |
2019-09-18 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c. |
|
5 |
CVE-2019-11884 |
77 |
|
+Info |
2019-05-10 |
2019-05-31 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\0' character. |
|
6 |
CVE-2019-11833 |
200 |
|
+Info |
2019-05-15 |
2019-06-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem. |
|
7 |
CVE-2019-11599 |
362 |
|
DoS +Info |
2019-04-29 |
2019-05-28 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c. |
|
8 |
CVE-2019-10639 |
200 |
|
Bypass +Info |
2019-07-05 |
2019-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace. |
|
9 |
CVE-2019-10638 |
200 |
|
+Info |
2019-07-05 |
2019-07-19 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. |
|
10 |
CVE-2019-7222 |
200 |
|
+Info |
2019-03-21 |
2019-08-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. |
|
11 |
CVE-2019-5489 |
200 |
|
+Info |
2019-01-07 |
2019-05-31 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. |
|
12 |
CVE-2019-3460 |
200 |
|
+Info |
2019-04-11 |
2019-05-28 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1. |
|
13 |
CVE-2019-3459 |
200 |
|
+Info |
2019-04-11 |
2019-05-28 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. |
|
14 |
CVE-2018-20511 |
200 |
|
+Info |
2018-12-27 |
2019-04-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call. |
|
15 |
CVE-2018-20510 |
200 |
|
+Info |
2019-04-30 |
2019-05-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The print_binder_transaction_ilocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading "*from *code *flags" lines in a debugfs file. |
|
16 |
CVE-2018-20509 |
200 |
|
+Info |
2019-04-30 |
2019-05-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The print_binder_ref_olocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading " ref *desc *node" lines in a debugfs file. |
|
17 |
CVE-2018-20449 |
200 |
|
+Info |
2019-04-04 |
2019-05-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The hidma_chan_stats function in drivers/dma/qcom/hidma_dbg.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading "callback=" lines in a debugfs file. |
|
18 |
CVE-2018-18710 |
200 |
|
+Info |
2018-10-29 |
2019-04-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658. |
|
19 |
CVE-2018-16862 |
200 |
|
+Info |
2018-11-26 |
2019-04-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one. |
|
20 |
CVE-2018-16658 |
200 |
|
+Info |
2018-09-07 |
2019-08-06 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940. |
|
21 |
CVE-2018-15594 |
200 |
|
+Info |
2018-08-20 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests. |
|
22 |
CVE-2018-15471 |
190 |
|
DoS Overflow +Info |
2018-08-17 |
2018-11-15 |
6.8 |
None |
Local |
Low |
Single system |
Complete |
Complete |
Complete |
|
An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks. |
|
23 |
CVE-2018-14625 |
362 |
|
+Info |
2018-09-10 |
2019-08-06 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients. |
|
24 |
CVE-2018-12633 |
362 |
|
DoS +Info |
2018-06-21 |
2018-08-21 |
6.3 |
None |
Local |
Medium |
Not required |
Complete |
None |
Complete |
|
An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (hdr.size_in and hdr.size_out) in the header between the two fetches because of a race condition, leading to severe kernel errors, such as buffer over-accesses. This bug can cause a local denial of service and information leakage. |
|
25 |
CVE-2018-11508 |
200 |
|
+Info |
2018-05-28 |
2019-01-22 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The compat_get_timex function in kernel/compat.c in the Linux kernel before 4.16.9 allows local users to obtain sensitive information from kernel memory via adjtimex. |
|
26 |
CVE-2018-7755 |
200 |
|
Bypass +Info |
2018-03-08 |
2018-10-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. |
|
27 |
CVE-2018-7754 |
534 |
|
+Info |
2018-08-10 |
2018-10-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The aoedisk_debugfs_show function in drivers/block/aoe/aoeblk.c in the Linux kernel through 4.16.4rc4 allows local users to obtain sensitive address information by reading "ffree: " lines in a debugfs file. |
|
28 |
CVE-2018-7273 |
200 |
|
Bypass +Info |
2018-02-20 |
2018-03-24 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR. |
|
29 |
CVE-2018-6559 |
200 |
|
+Info |
2018-10-26 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace. |
|
30 |
CVE-2018-6412 |
200 |
|
+Info |
2018-01-31 |
2018-03-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands. |
|
31 |
CVE-2018-5995 |
200 |
|
+Info |
2018-08-07 |
2019-05-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The pcpu_embed_first_chunk function in mm/percpu.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a "pages/cpu" printk call. |
|
32 |
CVE-2018-5953 |
200 |
|
+Info |
2018-08-07 |
2019-04-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to obtain sensitive address information by reading dmesg data from a "software IO TLB" printk call. |
|
33 |
CVE-2018-5750 |
200 |
|
+Info |
2018-01-26 |
2018-10-31 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call. |
|
34 |
CVE-2018-1118 |
200 |
|
+Info |
2018-05-10 |
2019-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file. |
|
35 |
CVE-2017-1000410 |
200 |
|
Bypass +Info |
2017-12-07 |
2019-04-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void *)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes). |
|
36 |
CVE-2017-1000380 |
200 |
|
+Info |
2017-06-17 |
2017-12-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. |
|
37 |
CVE-2017-18550 |
200 |
|
+Info |
2019-08-18 |
2019-08-23 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure. |
|
38 |
CVE-2017-18549 |
200 |
|
+Info |
2019-08-18 |
2019-08-23 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_send_raw_srb does not initialize the reply structure. |
|
39 |
CVE-2017-17864 |
200 |
|
+Info |
2017-12-27 |
2018-01-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a "pointer leak." |
|
40 |
CVE-2017-17741 |
125 |
|
+Info |
2017-12-18 |
2018-04-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h. |
|
41 |
CVE-2017-17449 |
200 |
|
+Info |
2017-12-06 |
2018-05-30 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system. |
|
42 |
CVE-2017-16994 |
200 |
|
+Info |
2017-11-27 |
2018-04-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call. |
|
43 |
CVE-2017-16911 |
200 |
|
+Info |
2018-01-31 |
2018-08-24 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP. |
|
44 |
CVE-2017-15537 |
200 |
|
+Info |
2017-10-17 |
2018-01-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The x86/fpu (Floating Point Unit) subsystem in the Linux kernel before 4.13.5, when a processor supports the xsave feature but not the xsaves feature, does not correctly handle attempts to set reserved bits in the xstate header via the ptrace() or rt_sigreturn() system call, allowing local users to read the FPU registers of other processes on the system, related to arch/x86/kernel/fpu/regset.c and arch/x86/kernel/fpu/signal.c. |
|
45 |
CVE-2017-14991 |
200 |
|
+Info |
2017-10-03 |
2018-08-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0. |
|
46 |
CVE-2017-14954 |
200 |
|
Bypass +Info |
2017-10-01 |
2017-10-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call. |
|
47 |
CVE-2017-14156 |
200 |
|
+Info |
2017-09-05 |
2018-03-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the Linux kernel through 4.12.10 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading locations associated with padding bytes. |
|
48 |
CVE-2017-14140 |
200 |
|
+Info |
2017-09-05 |
2018-04-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR. |
|
49 |
CVE-2017-13695 |
200 |
|
Bypass +Info |
2017-08-25 |
2018-09-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. |
|
50 |
CVE-2017-13694 |
200 |
|
Bypass +Info |
2017-08-25 |
2017-09-20 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. |
