5.5
CVSSv3

CVE-2022-25375

Published: 20/02/2022 Updated: 11/05/2022
CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9
CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

An issue exists in drivers/usb/gadget/function/rndis.c in the Linux kernel prior to 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux linux kernel

debian debian linux 9.0

debian debian linux 10.0

debian debian linux 11.0

Vendor Advisories

An issue was discovered in drivers/usb/gadget/function/rndisc in the Linux kernel before 51610 The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command Attackers can obtain sensitive information from kernel memory ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks CVE-2021-43976 Zekun Shen and Brendan Dolan-Gavitt discovered a flaw in the mwifiex_usb_recv() function of the Marvell WiFi-Ex USB Driver An attacker able to connect a crafted USB device can ...
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks CVE-2020-29374 Jann Horn of Google reported a flaw in Linux's virtual memory management A parent and child process initially share all their memory, but when either writes to a shared page, ...

Mailing Lists

The RNDIS USB Gadget may be exploited to dump contents of kernel memory space via packet filter update mechanism The RNDIS_MSG_SET handler - rndis_set_response - calls gen_ndis_set_resp passing a buffer pointer offset by BufOffset + 8 The BufOffset variable is retrieved from the RNDIS message and not validated to respect buffer boundaries Conse ...

Github Repositories

RNDIS-CO Summary The RNDIS USB Gadget may be exploited to dump contents of kernel memory space via packet filter update mechanism Description The RNDIS_MSG_SET usb control transfer request handler - rndis_set_response calls gen_ndis_set_resp passing a buffer pointer offset by BufOffset + 8 The BufOffset variable is retrieved from the RNDIS message and not validated to respect

PoC in GitHub 2022 CVE-2022-0185 (2022-02-11) A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a f