Memory Leak Affecting kernel-default-livepatch-devel package, versions <5.3.18-150300.59.90.1


Severity

Recommended
0.0
medium
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.06% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Memory Leak vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-SLES153-KERNELDEFAULTLIVEPATCHDEVEL-2990010
  • published24 Aug 2022
  • disclosed23 Aug 2022

Introduced: 23 Aug 2022

CVE-2022-26365  (opens in a new tab)
CWE-401  (opens in a new tab)

How to fix?

Upgrade SLES:15.3 kernel-default-livepatch-devel to version 5.3.18-150300.59.90.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-default-livepatch-devel package and not the kernel-default-livepatch-devel package as distributed by SLES. See How to fix? for SLES:15.3 relevant fixed versions and status.

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

CVSS Scores

version 3.1