{ "threat_severity" : "Moderate", "public_date" : "2022-08-09T08:30:00Z", "bugzilla" : { "description" : "kernel: use-after-free after failed devlink reload in devlink_param_get", "id" : "2144720", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2144720" }, "cvss3" : { "cvss3_base_score" : "7.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability.", "A flaw was found in the Netlink device interface implementation in the Linux kernel that improperly handled certain error conditions, leading to a use-after-free issue with some network device drivers. A local attacker with admin access to the network device could use this to cause a denial of service (system crash) or execute arbitrary code." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-05-16T00:00:00Z", "advisory" : "RHSA-2023:2736", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-477.10.1.rt7.274.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-05-16T00:00:00Z", "advisory" : "RHSA-2023:2951", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-477.10.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date" : "2024-02-21T00:00:00Z", "advisory" : "RHSA-2024:0930", "cpe" : "cpe:/o:redhat:rhel_eus:8.6", "package" : "kernel-0:4.18.0-372.93.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2148", "cpe" : "cpe:/a:redhat:enterprise_linux:9::nfv", "package" : "kernel-rt-0:5.14.0-284.11.1.rt14.296.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date" : "2024-02-21T00:00:00Z", "advisory" : "RHSA-2024:0930", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package" : "kernel-0:4.18.0-372.93.1.el8_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-3625\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3625\nhttps://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git/commit/?id=6b4db2e528f650c7fb712961aac36455468d5902" ], "name" : "CVE-2022-3625", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }