Ubuntu Linux Canonical Ubuntu Linux Linux Operating System

Do you want an email whenever new security vulnerabilities are reported in Canonical Ubuntu Linux?

Recent Canonical Ubuntu Linux Security Advisories

Advisory Title Published
USN-5651-2 USN-5651-2: strongSwan vulnerability October 3, 2022
USN-5651-1 USN-5651-1: strongSwan vulnerability October 3, 2022
USN-5614-2 USN-5614-2: Wayland vulnerability October 3, 2022
USN-5652-1 USN-5652-1: Linux kernel (Azure) vulnerabilities October 3, 2022
USN-5649-1 USN-5649-1: Firefox vulnerabilities September 30, 2022
USN-5650-1 USN-5650-1: Linux kernel vulnerabilities September 30, 2022
USN-5648-1 USN-5648-1: Linux kernel (GKE) vulnerabilities September 30, 2022
USN-5647-1 USN-5647-1: Linux kernel (GCP) vulnerabilities September 28, 2022
USN-5646-1 USN-5646-1: libXi vulnerabilities September 28, 2022
USN-5615-2 USN-5615-2: SQLite vulnerability September 28, 2022

@ubuntu Tweets

The submission deadline has been EXTENDED till October 7th. Tell your #opensource story at #UbuntuSummit by submitt… https://t.co/mez6RloxUI
Mon Oct 03 17:58:00 +0000 2022

RT @awsdevelopers: ��‍�� ��‍�� Enable Builders to do their best work. Ubuntu Desktop for Amazon WorkSpaces is now available. Designed for Devel…
Mon Oct 03 07:54:08 +0000 2022

�� Join us on Oct 5 for Chapter 3 of Robot Makers with our guest Russell Nickerson from MassRobotics, a non-profit c… https://t.co/rC73oxBWZw
Sun Oct 02 13:03:01 +0000 2022

�� Join us on Oct 5 for Chapter 3 of Robot Makers with our guest Russell Nickerson from MassRobotics, a non-profit c… https://t.co/NbMv9CVR5G
Sat Oct 01 07:45:01 +0000 2022

Wondering whether you need to use open source databases? Read our blog and learn about the benefits of using them… https://t.co/rLPzkW9cOB
Fri Sep 30 20:00:21 +0000 2022

By the Year

In 2022 there have been 417 vulnerabilities in Canonical Ubuntu Linux with an average score of 6.9 out of ten. Last year Ubuntu Linux had 509 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Ubuntu Linux in 2022 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2022 is greater by 0.22.

Year Vulnerabilities Average Score
2022 417 6.94
2021 509 6.73
2020 514 6.28
2019 489 7.06
2018 826 7.17

It may take a day or so for new Ubuntu Linux vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Canonical Ubuntu Linux Security Vulnerabilities

A time-of-check-time-of-use (TOCTOU) race condition vulnerability was found in networkd-dispatcher

CVE-2022-29800 4.7 - Medium - September 21, 2022

A time-of-check-time-of-use (TOCTOU) race condition vulnerability was found in networkd-dispatcher. This flaw exists because there is a certain time between the scripts being discovered and them being run. An attacker can abuse this vulnerability to replace scripts that networkd-dispatcher believes to be owned by root with ones that are not.

TOCTTOU

A vulnerability was found in networkd-dispatcher

CVE-2022-29799 5.5 - Medium - September 21, 2022

A vulnerability was found in networkd-dispatcher. This flaw exists because no functions are sanitized by the OperationalState or the AdministrativeState of networkd-dispatcher. This attack leads to a directory traversal to escape from the /etc/networkd-dispatcher base directory.

Directory traversal

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak

CVE-2022-38178 7.5 - High - September 21, 2022

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

Improper Verification of Cryptographic Signature

By sending specific queries to the resolver, an attacker

CVE-2022-3080 7.5 - High - September 21, 2022

By sending specific queries to the resolver, an attacker can cause named to crash.

Injection

An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources

CVE-2022-2906 7.5 - High - September 21, 2022

An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

Memory Leak

The underlying bug might cause read past end of the buffer and either read memory it should not read

CVE-2022-2881 8.2 - High - September 21, 2022

The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.

Out-of-bounds Read

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak

CVE-2022-38177 7.5 - High - September 21, 2022

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

Improper Verification of Cryptographic Signature

By flooding the target resolver with queries exploiting this flaw an attacker

CVE-2022-2795 7.5 - High - September 21, 2022

By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.

Resource Exhaustion

A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel

CVE-2022-3202 7.1 - High - September 14, 2022

A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.

NULL Pointer Dereference

A flaw was found in the Linux kernels driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices

CVE-2022-2964 7.8 - High - September 09, 2022

A flaw was found in the Linux kernels driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.

Memory Corruption

A use-after-free vulnerability was found in systemd

CVE-2022-2526 9.8 - Critical - September 09, 2022

A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.

Dangling pointer

A stack-based buffer overflow flaw was found in the Fribidi package

CVE-2022-25308 7.8 - High - September 06, 2022

A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.

Memory Corruption

A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file

CVE-2022-25309 5.5 - Medium - September 06, 2022

A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.

Memory Corruption

A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file

CVE-2022-25310 5.5 - Medium - September 06, 2022

A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.

An authorization flaw was found in openstack-barbican

CVE-2022-23451 8.1 - High - September 06, 2022

An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.

AuthZ

BlueZ before 5.59 allows physically proximate attackers to cause a denial of service

CVE-2022-39177 8.8 - High - September 02, 2022

BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.

BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information

CVE-2022-39176 8.8 - High - September 02, 2022

BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.

An integer coercion error was found in the openvswitch kernel module

CVE-2022-2639 7.8 - High - September 01, 2022

An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Memory Corruption

A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges

CVE-2022-1729 7 - High - September 01, 2022

A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.

Race Condition

An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container

CVE-2022-23452 4.9 - Medium - September 01, 2022

An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.

AuthZ

In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views

CVE-2020-35527 9.8 - Critical - September 01, 2022

In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.

Buffer Overflow

In SQlite 3.31.1

CVE-2020-35525 7.5 - High - September 01, 2022

In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.

NULL Pointer Dereference

A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously

CVE-2022-3028 7 - High - August 31, 2022

A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.

Race Condition

A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.

CVE-2020-35538 5.5 - Medium - August 31, 2022

A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.

NULL Pointer Dereference

A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function

CVE-2022-1355 6.1 - Medium - August 31, 2022

A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.

Buffer Overflow

A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function

CVE-2022-1354 5.5 - Medium - August 31, 2022

A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service.

Memory Corruption

A NULL pointer dereference flaw was found in the Linux kernels Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol

CVE-2022-1205 4.7 - Medium - August 31, 2022

A NULL pointer dereference flaw was found in the Linux kernels Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.

NULL Pointer Dereference

A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled

CVE-2022-1263 5.5 - Medium - August 31, 2022

A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.

NULL Pointer Dereference

There is a sleep-in-atomic bug in /net/nfc/netlink.c

CVE-2022-1975 5.5 - Medium - August 31, 2022

There is a sleep-in-atomic bug in /net/nfc/netlink.c that allows an attacker to crash the Linux kernel by simulating a nfc device from user-space.

A use-after-free flaw was found in the Linux kernel's NFC core functionality due to a race condition between kobject creation and delete

CVE-2022-1974 4.1 - Medium - August 31, 2022

A use-after-free flaw was found in the Linux kernel's NFC core functionality due to a race condition between kobject creation and delete. This vulnerability allows a local attacker with CAP_NET_ADMIN privilege to leak kernel information.

Dangling pointer

A flaw was found in dpdk

CVE-2022-0669 6.5 - Medium - August 29, 2022

A flaw was found in dpdk. This flaw allows a malicious vhost-user master to attach an unexpected number of fds as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages that are not closed by the vhost-user slave. By sending such messages continuously, the vhost-user master exhausts available fd in the vhost-user slave process, leading to a denial of service.

A use-after-free vulnerabilitity was discovered in drivers/net/hamradio/6pack.c of linux

CVE-2022-1198 5.5 - Medium - August 29, 2022

A use-after-free vulnerabilitity was discovered in drivers/net/hamradio/6pack.c of linux that allows an attacker to crash linux kernel by simulating ax25 device using 6pack driver from user space.

Dangling pointer

A flaw was found in the Linux kernel

CVE-2022-1199 7.5 - High - August 29, 2022

A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.

NULL Pointer Dereference

A use-after-free flaw was found in the Linux kernels Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol

CVE-2022-1204 5.5 - Medium - August 29, 2022

A use-after-free flaw was found in the Linux kernels Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.

Dangling pointer

A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free

CVE-2022-1016 5.5 - Medium - August 29, 2022

A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.

Dangling pointer

A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation

CVE-2022-0358 7.8 - High - August 29, 2022

A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.

Improper Check for Dropped Privileges

The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure

CVE-2022-0336 8.8 - High - August 29, 2022

The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.

Incorrect Default Permissions

A vulnerability was found in linux kernel, where an information leak occurs

CVE-2022-0850 7.1 - High - August 29, 2022

A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace.

A denial of service (DOS) issue was found in the Linux kernels smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return

CVE-2022-0168 4.4 - Medium - August 26, 2022

A denial of service (DOS) issue was found in the Linux kernels smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.

NULL Pointer Dereference

A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer)

CVE-2022-0175 5.5 - Medium - August 26, 2022

A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.

Missing Initialization of Resource

An issue was found in fts5UnicodeTokenize() in ext/fts5/fts5_tokenize.c in Sqlite

CVE-2021-20223 9.8 - Critical - August 25, 2022

An issue was found in fts5UnicodeTokenize() in ext/fts5/fts5_tokenize.c in Sqlite. A unicode61 tokenizer configured to treat unicode "control-characters" (class Cc), was treating embedded nul characters as tokens. The issue was fixed in sqlite-3.34.0 and later.

A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU

CVE-2021-3929 8.2 - High - August 25, 2022

A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.

Dangling pointer

An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer)

CVE-2022-0135 7.8 - High - August 25, 2022

An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). This flaw allows a malicious guest to create a specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a denial of service or possible code execution.

Memory Corruption

A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring()

CVE-2022-2959 7 - High - August 25, 2022

A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.

Race Condition

A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy

CVE-2022-2978 7.8 - High - August 24, 2022

A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.

Dangling pointer

A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel

CVE-2021-4037 7.8 - High - August 24, 2022

A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.

A NULL pointer dereference flaw was found in GnuTLS

CVE-2021-4209 6.5 - Medium - August 24, 2022

A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.

NULL Pointer Dereference

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode

CVE-2021-4189 5.3 - Medium - August 24, 2022

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.

Unchecked Return Value

A NULL pointer dereference issue was found in the ACPI code of QEMU

CVE-2021-4158 6 - Medium - August 24, 2022

A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

NULL Pointer Dereference

A flaw was found in glibc

CVE-2021-3999 7.8 - High - August 24, 2022

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

off-by-five

A flaw was found in glibc

CVE-2021-3998 7.5 - High - August 24, 2022

A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.

Unchecked Return Value

A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size

CVE-2021-4155 5.5 - Medium - August 24, 2022

A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.

Incorrect Calculation of Buffer Size

A use-after-free flaw was found in libvirt

CVE-2021-3975 6.5 - Medium - August 23, 2022

A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.

Dangling pointer

A flaw was found in the vhost library in DPDK

CVE-2021-3839 7.5 - High - August 23, 2022

A flaw was found in the vhost library in DPDK. Function vhost_user_set_inflight_fd() does not validate `msg->payload.inflight.num_queues`, possibly causing out-of-bounds memory read/write. Any software using DPDK vhost library may crash as a result of this vulnerability.

Out-of-bounds Read

A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing

CVE-2021-3905 7.5 - High - August 23, 2022

A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker could use this flaw to potentially exhaust available memory by keeping sending packet fragments.

Memory Leak

A memory overflow vulnerability was found in the Linux kernels ipc functionality of the memcg subsystem

CVE-2021-3759 5.5 - Medium - August 23, 2022

A memory overflow vulnerability was found in the Linux kernels ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability.

Resource Exhaustion

An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link

CVE-2021-23177 7.8 - High - August 23, 2022

An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.

insecure temporary file

An improper link resolution flaw

CVE-2021-31566 7.8 - High - August 23, 2022

An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.

insecure temporary file

A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service

CVE-2021-3764 5.5 - Medium - August 23, 2022

A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat from this vulnerability is to system availability.

Memory Leak

An out-of-bounds memory access flaw was found in the Linux kernel Intels iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data

CVE-2022-2873 5.5 - Medium - August 22, 2022

An out-of-bounds memory access flaw was found in the Linux kernel Intels iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.

Incorrect Calculation of Buffer Size

A heap-based buffer over write vulnerability was found in GhostScript's lp8000_print_page() function in gdevlp8k.c file

CVE-2020-27792 7.1 - High - August 19, 2022

A heap-based buffer over write vulnerability was found in GhostScript's lp8000_print_page() function in gdevlp8k.c file. An attacker could trick a user to open a crafted PDF file, triggering the heap buffer overflow that could lead to memory corruption or a denial of service.

Buffer Overflow

libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write

CVE-2022-2867 8.8 - High - August 17, 2022

libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.

Out-of-bounds Read

libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine

CVE-2022-2869 8.8 - High - August 17, 2022

libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation.

Out-of-bounds Read

libtiff's tiffcrop utility has a improper input validation flaw

CVE-2022-2868 8.1 - High - August 17, 2022

libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.

Improper Input Validation

Dm-verity is used for extending root-of-trust to root filesystems

CVE-2022-2503 6.7 - Medium - August 12, 2022

Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5

authentification

Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel

CVE-2022-20368 7.8 - High - August 11, 2022

Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel

A vulnerability in the regex module used by the signature database load module of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could

CVE-2022-20792 7.8 - High - August 10, 2022

A vulnerability in the regex module used by the signature database load module of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an authenticated, local attacker to crash ClamAV at database load time, and possibly gain code execution. The vulnerability is due to improper bounds checking that may result in a multi-byte heap buffer overwflow write. An attacker could exploit this vulnerability by placing a crafted CDB ClamAV signature database file in the ClamAV database directory. An exploit could allow the attacker to run code as the clamav user.

Memory Corruption

A flaw was found in KVM

CVE-2022-1158 7.8 - High - August 05, 2022

A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel, resulting in a denial of service condition.

Dangling pointer

A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal

CVE-2022-1973 7.1 - High - August 05, 2022

A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. This flaw allows a local attacker to crash the system and leads to a kernel information leak problem.

Dangling pointer

A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size

CVE-2022-1012 8.2 - High - August 05, 2022

A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.

Memory Leak

A vulnerability found in gnutls

CVE-2022-2509 7.5 - High - August 01, 2022

A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.

Double-free

nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14

CVE-2022-36946 7.5 - High - July 27, 2022

nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.

A memory leak flaw was found in the Linux kernel in acrn_dev_ioctl in the drivers/virt/acrn/hsm.c function in how the ACRN Device Model emulates virtual NICs in VM

CVE-2022-1651 7.1 - High - July 26, 2022

A memory leak flaw was found in the Linux kernel in acrn_dev_ioctl in the drivers/virt/acrn/hsm.c function in how the ACRN Device Model emulates virtual NICs in VM. This flaw allows a local privileged attacker to leak unauthorized kernel information, causing a denial of service.

Memory Leak

A NULL pointer dereference flaw was found in rxrpc_preparse_s in net/rxrpc/server_key.c in the Linux kernel

CVE-2022-1671 7.1 - High - July 26, 2022

A NULL pointer dereference flaw was found in rxrpc_preparse_s in net/rxrpc/server_key.c in the Linux kernel. This flaw allows a local attacker to crash the system or leak internal kernel information.

NULL Pointer Dereference

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries)

CVE-2022-21549 5.3 - Medium - July 19, 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot)

CVE-2022-21541 5.9 - Medium - July 19, 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot)

CVE-2022-21540 5.3 - Medium - July 19, 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

DOS / potential heap overwrite in qtdemux using zlib decompression

CVE-2022-2122 7.8 - High - July 19, 2022

DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.

Memory Corruption

DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression

CVE-2022-1925 7.8 - High - July 19, 2022

DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks.

Memory Corruption

DOS / potential heap overwrite in mkv demuxing using lzo decompression

CVE-2022-1924 7.8 - High - July 19, 2022

DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.

Memory Corruption

DOS / potential heap overwrite in mkv demuxing using bzip decompression

CVE-2022-1923 7.8 - High - July 19, 2022

DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.

Memory Corruption

DOS / potential heap overwrite in mkv demuxing using zlib decompression

CVE-2022-1922 7.8 - High - July 19, 2022

DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.

Memory Corruption

Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files

CVE-2022-1921 7.8 - High - July 19, 2022

Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.

Integer Overflow or Wraparound

Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which

CVE-2022-1920 7.8 - High - July 19, 2022

Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite.

Memory Corruption

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets

CVE-2022-34169 7.5 - High - July 19, 2022

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Incorrect Conversion between Numeric Types

When setting font with malicous data by ioctl cmd PIO_FONT

CVE-2021-33656 6.8 - Medium - July 18, 2022

When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.

Memory Corruption

When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO

CVE-2021-33655 6.7 - Medium - July 18, 2022

When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.

Memory Corruption

A memory leak vulnerability was found in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such

CVE-2021-4135 5.5 - Medium - July 14, 2022

A memory leak vulnerability was found in the Linux kernel's eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.

Memory Leak

The Linux kernel was found vulnerable out of bounds memory access in the drivers/video/fbdev/sm712fb.c:smtcfb_read() function

CVE-2022-2380 5.5 - Medium - July 13, 2022

The Linux kernel was found vulnerable out of bounds memory access in the drivers/video/fbdev/sm712fb.c:smtcfb_read() function. The vulnerability could result in local attackers being able to crash the kernel.

Memory Corruption

Windows Internet Information Services Cachuri Module Denial of Service Vulnerability.

CVE-2022-22025 7.5 - High - July 12, 2022

Windows Internet Information Services Cachuri Module Denial of Service Vulnerability.

Git is a distributed revision control system

CVE-2022-29187 7.8 - High - July 12, 2022

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

DLL preloading

Intel microprocessor generations 6 to 8 are affected by a new Spectre variant

CVE-2022-29901 6.5 - Medium - July 12, 2022

Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.

Exposure of Resource to Wrong Sphere

Mis-trained branch predictions for return instructions may

CVE-2022-29900 6.5 - Medium - July 12, 2022

Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.

Information Disclosure

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them

CVE-2022-32205 4.3 - Medium - July 07, 2022

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

Allocation of Resources Without Limits or Throttling

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning

CVE-2022-32206 6.5 - Medium - July 07, 2022

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

Allocation of Resources Without Limits or Throttling

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In

CVE-2022-32207 9.8 - Critical - July 07, 2022

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

Incorrect Default Permissions

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly

CVE-2022-32208 5.9 - Medium - July 07, 2022

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

Memory Corruption

There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux

CVE-2022-2318 5.5 - Medium - July 06, 2022

There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.

Dangling pointer

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates

CVE-2022-31129 7.5 - High - July 06, 2022

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Resource Exhaustion

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains

CVE-2022-33741 7.1 - High - July 05, 2022

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

Information Disclosure

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Canonical Ubuntu Linux or by Canonical? Click the Watch button to subscribe.

Canonical
Vendor

Canonical Ubuntu Linux
Linux Operating System

subscribe