OESA-2022-1621

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1621
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2022-1621.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2022-1621
Upstream
  • CVE-2020-26142
  • CVE-2022-20009
Published
2022-04-29T11:03:42Z
Modified
2025-08-12T05:05:59.579594Z
Summary
kernel security update
Details

The Linux Kernel, the operating system core itself.

Security Fix(es):

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.(CVE-2022-27666)

In aiopollcomplete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel(CVE-2021-39698)

Vulnerability Summary for CVE-2022-1198.(CVE-2022-1198)

emsusbstartxmit in drivers/net/can/usb/emsusb.c in the Linux kernel through 5.17.1 has a double free.(CVE-2022-28390)

A flaw was found in the Linux kernel in net/netfilter/nftablescore.c:nftdochain, which can cause a use-after-free. This issue needs to handle return with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.(CVE-2022-1016)

Product: AndroidVersions: Android kernelAndroid ID: A-173788806References: Upstream kernel.(CVE-2021-39713)

A use-after-free exists in the Linux Kernel in tcnewtfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5.(CVE-2022-1055)

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23039)

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23040)

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23041)

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23042)

The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xsxprtfree before ensuring that sockets are in the intended state.(CVE-2022-28893)

In various functions of the USB gadget subsystem, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-213172319References: Upstream kernel(CVE-2022-20009)

An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.(CVE-2020-26142)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.90-2204.4.0.0147.oe1

Ecosystem specific 

{
    "src": [
        "kernel-4.19.90-2204.4.0.0147.oe1.src.rpm"
    ],
    "aarch64": [
        "kernel-devel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-source-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "python3-perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "bpftool-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "python2-perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0147.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "kernel-tools-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python3-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python2-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "bpftool-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-source-4.19.90-2204.4.0.0147.oe1.x86_64.rpm"
    ]
}

openEuler:20.03-LTS-SP2 / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.90-2204.4.0.0146.oe1

Ecosystem specific 

{
    "src": [
        "kernel-4.19.90-2204.4.0.0146.oe1.src.rpm"
    ],
    "aarch64": [
        "kernel-devel-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "kernel-source-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "python3-perf-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "perf-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "bpftool-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "kernel-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "python2-perf-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0146.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "python3-perf-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "kernel-devel-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "perf-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "bpftool-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "kernel-source-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "python2-perf-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "kernel-4.19.90-2204.4.0.0146.oe1.x86_64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.90-2204.4.0.0147.oe1

Ecosystem specific 

{
    "src": [
        "kernel-4.19.90-2204.4.0.0147.oe1.src.rpm"
    ],
    "aarch64": [
        "kernel-devel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-source-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "python3-perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "bpftool-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "python2-perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0147.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "kernel-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-source-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python2-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python3-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "bpftool-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-source-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python2-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python3-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "bpftool-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm"
    ]
}

openEuler:22.03-LTS / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.0-60.27.0.57.oe2203

Ecosystem specific 

{
    "src": [
        "kernel-5.10.0-60.27.0.57.oe2203.src.rpm"
    ],
    "aarch64": [
        "kernel-tools-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "bpftool-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "python3-perf-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "kernel-devel-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "perf-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "kernel-headers-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "kernel-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "perf-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "kernel-tools-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "kernel-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "kernel-source-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "python3-perf-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "kernel-debugsource-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "kernel-tools-devel-5.10.0-60.27.0.57.oe2203.aarch64.rpm",
        "bpftool-5.10.0-60.27.0.57.oe2203.aarch64.rpm"
    ],
    "x86_64": [
        "kernel-tools-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "python3-perf-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "perf-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "bpftool-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "kernel-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "kernel-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "kernel-tools-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "python2-perf-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "perf-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "kernel-devel-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "python2-perf-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "python3-perf-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "bpftool-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "kernel-tools-devel-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "kernel-debugsource-5.10.0-60.27.0.57.oe2203.x86_64.rpm",
        "kernel-source-5.10.0-60.27.0.57.oe2203.x86_64.rpm"
    ]
}