| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-40617 |
400 |
|
DoS |
2022-10-31 |
2023-01-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data. |
|
2 |
CVE-2022-39177 |
|
|
DoS |
2022-09-02 |
2022-11-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c. |
|
3 |
CVE-2022-39176 |
|
|
+Info |
2022-09-02 |
2022-11-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len. |
|
4 |
CVE-2022-34918 |
843 |
|
Overflow |
2022-07-04 |
2022-10-26 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. |
|
5 |
CVE-2022-29581 |
416 |
|
|
2022-05-17 |
2022-10-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions. |
|
6 |
CVE-2022-20698 |
20 |
|
DoS |
2022-01-14 |
2022-01-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) Software version 0.104.1 and LTS version 0.103.4 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper checks that may result in an invalid pointer read. An attacker could exploit this vulnerability by sending a crafted OOXML file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to crash, resulting in a denial of service condition. |
|
7 |
CVE-2022-1055 |
416 |
|
+Priv |
2022-03-29 |
2022-10-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5 |
|
8 |
CVE-2022-0492 |
287 |
|
Bypass |
2022-03-03 |
2022-10-19 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. |
|
9 |
CVE-2021-45417 |
787 |
|
Overflow |
2022-01-20 |
2022-01-26 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. |
|
10 |
CVE-2021-45079 |
476 |
|
|
2022-01-31 |
2022-07-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. |
|
11 |
CVE-2021-44731 |
362 |
|
Exec Code +Priv |
2022-02-17 |
2023-02-03 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 |
|
12 |
CVE-2021-44730 |
59 |
|
+Priv |
2022-02-17 |
2022-02-28 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 |
|
13 |
CVE-2021-44420 |
|
|
Bypass |
2021-12-08 |
2022-07-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. |
|
14 |
CVE-2021-44142 |
125 |
|
Exec Code |
2022-02-21 |
2022-02-23 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root. |
|
15 |
CVE-2021-32555 |
59 |
|
|
2021-06-12 |
2021-06-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg-hwe-18.04 package apport hooks, it could expose private data to other local users. |
|
16 |
CVE-2021-32554 |
59 |
|
|
2021-06-12 |
2021-06-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg package apport hooks, it could expose private data to other local users. |
|
17 |
CVE-2021-32553 |
59 |
|
|
2021-06-12 |
2021-06-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users. |
|
18 |
CVE-2021-32552 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users. |
|
19 |
CVE-2021-32551 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-15 package apport hooks, it could expose private data to other local users. |
|
20 |
CVE-2021-32550 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-14 package apport hooks, it could expose private data to other local users. |
|
21 |
CVE-2021-32549 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-13 package apport hooks, it could expose private data to other local users. |
|
22 |
CVE-2021-32548 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-8 package apport hooks, it could expose private data to other local users. |
|
23 |
CVE-2021-32547 |
59 |
|
|
2021-06-12 |
2021-06-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-lts package apport hooks, it could expose private data to other local users. |
|
24 |
CVE-2021-27364 |
125 |
|
|
2021-03-07 |
2021-12-08 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages. |
|
25 |
CVE-2021-4120 |
20 |
|
|
2022-02-17 |
2022-03-01 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 |
|
26 |
CVE-2021-4115 |
|
|
|
2022-02-21 |
2022-08-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned |
|
27 |
CVE-2021-4093 |
125 |
|
|
2022-02-18 |
2023-01-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A flaw was found in the KVM's AMD code for supporting the Secure Encrypted Virtualization-Encrypted State (SEV-ES). A KVM guest using SEV-ES can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT for a string I/O instruction (for example, outs or ins) using the exit reason SVM_EXIT_IOIO. This issue results in a crash of the entire system or a potential guest-to-host escape scenario. |
|
28 |
CVE-2021-4034 |
787 |
|
Exec Code |
2022-01-28 |
2023-02-13 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. |
|
29 |
CVE-2021-3975 |
416 |
|
DoS |
2022-08-23 |
2023-02-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash. |
|
30 |
CVE-2021-3939 |
763 |
|
|
2021-11-17 |
2021-11-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1. |
|
31 |
CVE-2021-3905 |
401 |
|
|
2022-08-23 |
2022-08-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker could use this flaw to potentially exhaust available memory by keeping sending packet fragments. |
|
32 |
CVE-2021-3748 |
416 |
|
DoS Exec Code |
2022-03-23 |
2023-01-03 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. |
|
33 |
CVE-2021-3737 |
400 |
|
|
2022-03-04 |
2023-02-02 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability. |
|
34 |
CVE-2021-3640 |
362 |
|
|
2022-03-03 |
2023-02-12 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system. |
|
35 |
CVE-2021-3560 |
754 |
|
Bypass |
2022-02-16 |
2022-07-11 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
|
36 |
CVE-2021-3493 |
269 |
|
+Priv |
2021-04-17 |
2022-10-27 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges. |
|
37 |
CVE-2021-3492 |
415 |
|
DoS +Priv |
2021-04-17 |
2021-05-21 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562. |
|
38 |
CVE-2021-3491 |
787 |
|
Exec Code Overflow Bypass |
2021-06-04 |
2021-09-14 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1). |
|
39 |
CVE-2021-3490 |
125 |
|
Exec Code |
2021-06-04 |
2021-09-14 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1). |
|
40 |
CVE-2021-3489 |
787 |
|
Exec Code |
2021-06-04 |
2021-09-14 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") (v5.8-rc1). |
|
41 |
CVE-2021-3444 |
125 |
|
Exec Code |
2021-03-23 |
2021-12-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. |
|
42 |
CVE-2021-3155 |
276 |
|
|
2022-02-17 |
2022-02-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 |
|
43 |
CVE-2020-29385 |
835 |
|
DoS Exec Code |
2020-12-26 |
2021-03-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way. |
|
44 |
CVE-2020-29372 |
362 |
|
|
2020-11-28 |
2022-10-06 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition between coredump operations and the IORING_OP_MADVISE implementation, aka CID-bc0c4d1e176e. |
|
45 |
CVE-2020-28040 |
352 |
|
CSRF |
2020-11-02 |
2022-06-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image. |
|
46 |
CVE-2020-28039 |
|
|
|
2020-11-02 |
2022-06-29 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. |
|
47 |
CVE-2020-27349 |
862 |
|
|
2020-12-09 |
2020-12-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5. |
|
48 |
CVE-2020-27348 |
427 |
|
Exec Code |
2020-12-04 |
2020-12-14 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1. |
|
49 |
CVE-2020-27171 |
193 |
|
+Info |
2021-03-20 |
2022-07-30 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Partial |
|
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d. |
|
50 |
CVE-2020-27170 |
203 |
|
+Info |
2021-03-20 |
2022-07-30 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit. |
