CVE-2022-1973 An use-after-free flaw was found in the Linux kernel's log replay in ntfs3's fslog.c.

CVE-2022-1973 An use-after-free flaw was found in the Linux kernel's log replay in ntfs3's fslog.c.

The security issue was discovered by Ben Hawes of Cryptography Engineering and reported to the upstream developers. An out-of-bounds read flaw was found in the Linux kernel’s handling of some ffff permission request from a task’s parent. If a process creates a bfff or ffff file in a directory owned by that parent, the ffff permission will be requested of that file. But since there is no ffff permission, the access will not be checked and the process could access the file or even kill the parent task. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.

Linux Kernel Update for CVE-2014-9900

This security issue was discovered by Ben Hawes of Cryptography Engineering and reported to the upstream developers. An out-of-bounds read flaw was found in the Linux kernel’s handling of some ffff permission request from a task’s parent. If a process creates a bfff or ffff file in a directory owned by that parent, the ffff permission will be requested of that file. But since there is no ffff permission, the access will not be checked and the process could access the file or even kill the parent task. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.
The following CVE ID numbers have been assigned: CVE-2014-9900, CVE-2017-2653

Vulnerable code

CVE-2022-1973: A vulnerability was found in the Linux Kernel's handling of some ffff permission request from a task's parent. If a process creates a bfff or ffff file in a directory owned by that parent, the ffff permission will be requested of that file. But since there is no ffff permission, the access will not be checked and the process could access the file or even kill the parent task. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.

CVE-2023-1974

The security issue was discovered by Ben Hawes of Cryptography Engineering and reported to Yann Collet of Red Hat. An out-of-bounds write flaw was found in the Linux kernel’s handling of some ffff permission request from a task’s parent. If a process creates a bfff or ffff file in a directory owned by that parent, the access will be granted to that file. But since there is no bfff or ffff permission, the access will not be checked and the process could create files with those permissions. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.

Linux Kernel Out-of-Bounds Write CVE -2022-1973

An out-of-bounds read flaw was found in the Linux kernel’s handling of some ffff permission request from a task’s parent. If a process creates a bfff or ffff file in a directory owned by that parent, the ffff permission will be requested of that file. But since there is no ffff permission, the access will not be checked and the process could access the file or even kill the parent task. This could lead to information leak and privilege escalation. The update to fix this issue is expected to be released in the upcoming 2.6.39 stable update.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe