USN-5415-1

Advisory lineage Upstream: 16 Downstream: 0
Published: 12 May 2022, 00:49
Last modified:23 May 2026, 01:33

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

12 May 2022, 00:49
Published
Vulnerability first disclosed
23 May 2026, 01:33
Last Modified
Vulnerability information updated

Description

linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities Jeremy Cline discovered a use-after-free in the nouveau graphics driver of the Linux kernel during device removal. A privileged or physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-27820) Ke Sun, Alyssa Milburn, Henrique Kawakami, Emma Benoit, Igor Chervatyuk, Lisa Aichele, and Thais Moreira Hamasaki discovered that the Spectre Variant 2 mitigations for AMD processors on Linux were insufficient in some situations. A local attacker could possibly use this to expose sensitive information. (CVE-2021-26401) David Bouman discovered that the netfilter subsystem in the Linux kernel did not initialize memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2022-1016) It was discovered that the MMC/SD subsystem in the Linux kernel did not properly handle read errors from SD cards in certain situations. An attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2022-20008) It was discovered that the USB gadget subsystem in the Linux kernel did not properly validate interface descriptor requests. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2022-25258) It was discovered that the Remote NDIS (RNDIS) USB gadget implementation in the Linux kernel did not properly validate the size of the RNDIS_MSG_SET command. An attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2022-25375) It was discovered that the ST21NFCA NFC driver in the Linux kernel did not properly validate the size of certain data in EVT_TRANSACTION events. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2022-26490) It was discovered that the Xilinx USB2 device gadget driver in the Linux kernel did not properly validate endpoint indices from the host. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2022-27223)

Affected Systems

  • ubuntulinux

    < 5.4.0-110.124

  • ubuntulinux-aws

    < 5.4.0-1073.78

  • ubuntulinux-azure

    < 5.4.0-1078.81

  • ubuntulinux-azure-5.4

    < 5.4.0-1078.81~18.04.1

  • ubuntulinux-azure-fde

    < 5.4.0-1078.81+cvm1.1

  • ubuntulinux-gcp

    < 5.4.0-1073.78

  • ubuntulinux-gcp-5.4

    < 5.4.0-1073.78~18.04.1

  • ubuntulinux-gke

    < 5.4.0-1071.76

  • ubuntulinux-gkeop

    < 5.4.0-1040.41

  • ubuntulinux-gkeop-5.4

    < 5.4.0-1040.41~18.04.1

  • ubuntulinux-hwe-5.4

    < 5.4.0-110.124~18.04.1

  • ubuntulinux-ibm

    < 5.4.0-1021.23

  • ubuntulinux-ibm-5.4

    < 5.4.0-1021.23~18.04.1

  • ubuntulinux-kvm

    < 5.4.0-1063.66

  • ubuntulinux-oracle

    < 5.4.0-1071.77

  • ubuntulinux-oracle-5.4

    < 5.4.0-1071.77~18.04.1

  • ubuntulinux-raspi

    < 5.4.0-1060.68

  • ubuntulinux-raspi-5.4

    < 5.4.0-1060.68~18.04.1

References (9)