CVE-2020-12656

CVSS v3.1 5.5 (Medium)

CVSS v2.0 2.1 (Low)

EPSS 0.04 % (15^th)

Affected Products 3

Advisories 20

NVD Status Modified

gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available. It is a problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a privileged operation. A user could also write a kernel module to consume any amount of memory they like and load that replicating the effect of this bug

Weaknesses

CWE-401: Missing Release of Memory after Effective Lifetime

CVE Status: PUBLISHED
NVD Status: Modified
CNA: MITRE
Published Date: 2020-05-05 06:15:11
(4 years ago)
Updated Date: 2024-08-04 12:15:50
(6 weeks ago)

Affected Products

Configuration #1

		CPE23	From	Up To
	Linux Kernel 5.6.10 and prior versions	cpe:2.3:o:linux:linux_kernel		<= 5.6.10

Configuration #2

		CPE23	From	Up To
	Canonical Ubuntu Linux 14.04	cpe:2.3:o:canonical:ubuntu_linux:14.04:::*:esm
	Canonical Ubuntu Linux 16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04:::*:esm
	Canonical Ubuntu Linux 18.04	cpe:2.3:o:canonical:ubuntu_linux:18.04:::*:lts
	Canonical Ubuntu Linux 20.04	cpe:2.3:o:canonical:ubuntu_linux:20.04:::*:lts

Configuration #3

		CPE23	From	Up To
	Opensuse Leap 15.1	cpe:2.3:o:opensuse:leap:15.1
	Opensuse Leap 15.2	cpe:2.3:o:opensuse:leap:15.2

Weaknesses

Affected Products

Canonical

Linux

Opensuse

Configuration #1

Configuration #2

Configuration #3