{ "threat_severity" : "Moderate", "public_date" : "2024-05-21T00:00:00Z", "bugzilla" : { "description" : "kernel: virtio-net: Add validation for used length", "id" : "2282401", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2282401" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvirtio-net: Add validation for used length\nThis adds validation for used length (might come\nfrom an untrusted device) to avoid data corruption\nor loss.", "A vulnerability was found in the Linux kernel’s virtio-net driver, where the system does not properly validate the length of data provided by an untrusted device. This lack of validation could lead to data corruption if the length of the data is incorrect or maliciously crafted." ], "statement" : "This vulnerability is rated as a moderate severity because it involves potential data corruption or loss, but requires exploitation through specific conditions involving untrusted devices and does not directly impact system confidentiality or integrity, but can lead to significant system disruptions.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7001", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7000", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.22.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2024-09-18T00:00:00Z", "advisory" : "RHSA-2024:6753", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.123.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2024-09-18T00:00:00Z", "advisory" : "RHSA-2024:6753", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.123.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2024-09-18T00:00:00Z", "advisory" : "RHSA-2024:6753", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.123.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:6993", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.74.1.el8_8" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-47352\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47352\nhttps://lore.kernel.org/linux-cve-announce/2024052141-CVE-2021-47352-df50@gregkh/T" ], "name" : "CVE-2021-47352", "mitigation" : { "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "lang" : "en:us" }, "csaw" : false }