USN-5540-1

Details

Liu Jian discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2022-20141)

It was discovered that the USB gadget subsystem in the Linux kernel did not properly validate interface descriptor requests. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2022-25258)

It was discovered that the Remote NDIS (RNDIS) USB gadget implementation in the Linux kernel did not properly validate the size of the RNDIS_MSG_SET command. An attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2022-25375)

Arthur Mongodin discovered that the netfilter subsystem in the Linux kernel did not properly perform data validation. A local attacker could use this to escalate privileges in certain situations. (CVE-2022-34918)

Affected Packages

Ubuntu:Pro:14.04:LTSlinux-aws

Fixed in:

4.4.0-1110.116

Ubuntu:Pro:14.04:LTSlinux-lts-xenial

Fixed in:

4.4.0-230.264~14.04.1

Ubuntu:Pro:16.04:LTSlinux

Fixed in:

4.4.0-230.264

Ubuntu:Pro:16.04:LTSlinux-aws

Fixed in:

4.4.0-1146.161

Ubuntu:Pro:16.04:LTSlinux-kvm

Fixed in:

4.4.0-1111.121

References

REPORThttps://ubuntu.com/security/CVE-2022-20141 REPORThttps://ubuntu.com/security/CVE-2022-25258 REPORThttps://ubuntu.com/security/CVE-2022-25375 REPORThttps://ubuntu.com/security/CVE-2022-34918 ADVISORYhttps://ubuntu.com/security/notices/USN-5540-1

USN-5540-1

Details

Affected Packages

References

Upstream

Ecosystems

Timeline