CVE-2022-27223

Description

In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.

CVSS Metrics

• v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 6.5AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.32%• Percentile: 55%

Techniques & Countermeasures

• CWE-129•Improper Validation of Array Index

  The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Affected Systems

• debian•debian_linux

  9.0

• linux•linux_kernel

  ≥ 3.18, < 4.9.304 | ≥ 4.10, < 4.14.269 | ≥ 4.15, < 4.19.232 | ≥ 4.20, < 5.4.182 | ≥ 5.5, < 5.10.103 | ≥ 5.11, < 5.15.26 | ≥ 5.16, < 5.16.12

• netapp•active_iq_unified_manager

  na

• netapp•h300e

  na

• netapp•h300s_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500e

  na

• netapp•h500s_firmware

  na

• netapp•h700e

  na

• netapp•h700s_firmware

  na

References (4)

• https://github.com/torvalds/linux/commit/7f14c7227f342d9932f9b918893c8814f86d2a0d
• https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.12
• https://security.netapp.com/advisory/ntap-20220419-0001/
• https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html