CVE-2022-25258
Advisory lineage Upstream: 0 Downstream: 19
Modified
Published: 16 Feb 2022, 00:00
Last modified:03 Aug 2024, 04:36
Vulnerability Summary
Overall Risk (default)
low
20/100 CVSS Score
4.9 MEDIUM
v2.0 (nvd)
EPSS Score
0.18% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
16 Feb 2022, 00:00
Published
Vulnerability first disclosed
03 Aug 2024, 04:36
Last Modified
Vulnerability information updated
Description
An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur.
CVSS Metrics
- v3.1•MEDIUM•Score: 4.6CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 4.9AV:L/AC:L/Au:N/C:N/I:N/A:C
EPSS Trends
Current EPSS score: 0.18%• Percentile: 39%
Techniques & Countermeasures
- CWE-476•NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Systems
- debian•debian_linux
9.0 | 10.0 | 11.0
- fedoraproject•fedora
35
- linux•linux_kernel
< 5.16.10
- netapp•active_iq_unified_manager
na
- netapp•h300s_firmware
na
- netapp•h410c_firmware
na
- netapp•h410s_firmware
na
- netapp•h500s_firmware
na
- netapp•h700s_firmware
na
References (9)
- https://github.com/torvalds/linux/commit/75e5b4849b81e19e9efe1654b30d7f3151c33c2c
- https://github.com/szymonh/d-os-descriptor
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TCW2KZYJ2H6BKZE3CVLHRIXYDGNYYC5P/
- https://www.debian.org/security/2022/dsa-5092
- https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html
- https://www.debian.org/security/2022/dsa-5096
- https://security.netapp.com/advisory/ntap-20221028-0007/