Published: 20/02/2022 Updated: 08/08/2023

CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9

CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8

VMScore: 187

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

An issue exists in drivers/usb/gadget/function/rndis.c in the Linux kernel prior to 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.

Vulnerable Product	Search on Vulmon	Subscribe to Product
linux linux kernel
debian debian linux 9.0
debian debian linux 10.0
debian debian linux 11.0

Several security issues were fixed in the Linux kernel ...

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks CVE-2020-29374 Jann Horn of Google reported a flaw in Linux's virtual memory management A parent and child process initially share all their memory, but when either writes to a shared page, ...

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks CVE-2021-43976 Zekun Shen and Brendan Dolan-Gavitt discovered a flaw in the mwifiex_usb_recv() function of the Marvell WiFi-Ex USB Driver An attacker able to connect a crafted USB device can ...

An issue was discovered in drivers/usb/gadget/function/rndisc in the Linux kernel before 51610 The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command Attackers can obtain sensitive information from kernel memory ...

oss-sec mailing list archives   By Date By Thread </form>    CVE-2022-25375 : Linux RNDIS USB Gadget memory extraction via packet filter  <!--X-Head-of-Message- ...

CVE-2022-25375 - Demo exploit of RNDIS USB Gadget

RNDIS-CO Summary The RNDIS USB Gadget may be exploited to dump contents of kernel memory space via packet filter update mechanism Description The RNDIS_MSG_SET usb control transfer request handler - rndis_set_response calls gen_ndis_set_resp passing a buffer pointer offset by BufOffset + 8 The BufOffset variable is retrieved from the RNDIS message and not validated to respect

CWE-1284 https://github.com/szymonh/rndis-co https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10 https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826 http://www.openwall.com/lists/oss-security/2022/02/21/1 https://www.debian.org/security/2022/dsa-5096 https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html https://www.debian.org/security/2022/dsa-5092 https://nvd.nist.gov https://github.com/szymonh/rndis-co https://ubuntu.com/security/notices/USN-5415-1

CVE-2022-25375

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect