Memory Leak Affecting kernel-libbpf-devel package, versions <0:6.1.10-15.42.amzn2023


Severity

Recommended
0.0
high
0
10

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.06% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Memory Leak vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-AMZN2023-KERNELLIBBPFDEVEL-3346773
  • published7 Mar 2023
  • disclosed5 Jul 2022

Introduced: 5 Jul 2022

CVE-2022-26365  (opens in a new tab)
CWE-401  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 kernel-libbpf-devel to version 0:6.1.10-15.42.amzn2023 or higher.
This issue was patched in ALAS2023-2023-070.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-libbpf-devel package and not the kernel-libbpf-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

CVSS Scores

version 3.1