A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrmprobealgs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.
The fix has been backported to 5.15.64 version of the upstream Linux kernel (5.15 is the upstream Kernel long term version Talos ships with). Talos >= v1.2.0 is shipped with Linux Kernel 5.15.64 fixing the above issue.
Kubernetes workloads running in Talos are not affected since user namespaces are disabled in Talos kernel config. So an unprivileged user cannot obtain CAPNETADMIN by unsharing. However untrusted workloads that run with privileged: true or having NET_ADMIN capability poses a risk.
Audit kubernetes workloads running in the cluster with privileged: true set or having NET_ADMIN capability and assess the threat vector.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-362", "CWE-787" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-16T17:17:37Z" }