CVE-2022-49094

HIGH EPSS 14.0%
Published Feb 26, 20251y ago · Modified Jun 17, 20262w ago
7.1 CVSS 3.1
High
Find Similar
Published Feb 26, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net/tls: fix slab-out-of-bounds bug in decrypt_internal The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in tls_set_sw_offload(). The return value of crypto_aead_ivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following: ================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls] Allocated by task 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0 Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size when memcpy() iv value in TLS_1_3_VERSION scenario.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
14.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥5.2  –  <5.4.189
linuxlinux_kernel*≥5.5  –  <5.10.111
linuxlinux_kernel*≥5.11  –  <5.15.34
linuxlinux_kernel*≥5.16  –  <5.16.20
linuxlinux_kernel*≥5.17  –  <5.17.3
linuxlinux_kernel5.18any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/2304660ab6c425df64d95301b601424c6a50f28b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/29be1816cbab9a0dc6243120939fd10a92753756
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b7d14c105dd8f6412eda5a91e1e6154653731e3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/589154d0f18945f41d138a5b4e49e518d294474b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6e2f1b033b17dedda51d465861b69e58317d6343
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9381fe8c849cfbe50245ac01fc077554f6eaa0e2
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2304660ab6c425df64d95301b601424c6a50f28b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/29be1816cbab9a0dc6243120939fd10a92753756
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b7d14c105dd8f6412eda5a91e1e6154653731e3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/589154d0f18945f41d138a5b4e49e518d294474b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6e2f1b033b17dedda51d465861b69e58317d6343
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9381fe8c849cfbe50245ac01fc077554f6eaa0e2
    Patch