1. Home
  2. Vulnerabilities
  3. CVE-2022-0185

CVE-2022-0185

CVSS v3.1 8.4 (High)
84% Progress
CVSS v2.0 7.2 (High)
72% Progress
EPSS 0.34 % (72th)
0.34% Progress
Affected Products 17
Advisories 35
NVD Status Analyzed
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

Weaknesses
CWE-190
Integer Overflow or Wraparound
CWE-191
Integer Underflow (Wrap or Wraparound)
CVE Status
PUBLISHED
NVD Status
Analyzed
CNA
Red Hat, Inc.
Published Date
2022-02-11 18:15:10
(2 years ago)
Updated Date
2024-09-04 01:00:01
(12 days ago)
Linux Kernel Heap-Based Buffer Overflow Vulnerability (CISA - Known Exploited Vulnerabilities Catalog)
Description
Linux kernel contains a heap-based buffer overflow vulnerability in the legacy_parse_param function in the Filesystem Context functionality. This allows an attacker to open a filesystem that does not support the Filesystem Context API and ultimately escalate privileges.
Required Action
Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.
Known to be Used in Ransomware Campaigns
Unknown
Notes
This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de2; https://nvd.nist.gov/vuln/detail/CVE-2022-0185
Vendor
Linux
Product
Kernel
In CISA Catalog from
2024-08-21
(3 weeks ago)
Due Date
2024-09-11
(5 days ago)

Affected Products

Linux

Netapp

Configuration #1

    CPE23 From Up To
  Linux Kernel from 5.1 version and prior 5.4.173 version cpe:2.3:o:linux:linux_kernel >= 5.1 < 5.4.173
  Linux Kernel from 5.5 version and prior 5.10.93 version cpe:2.3:o:linux:linux_kernel >= 5.5 < 5.10.93
  Linux Kernel from 5.11 version and prior 5.15.16 version cpe:2.3:o:linux:linux_kernel >= 5.11 < 5.15.16
  Linux Kernel from 5.16 version and prior 5.16.2 version cpe:2.3:o:linux:linux_kernel >= 5.16 < 5.16.2

Configuration #2

AND
    CPE23 From Up To
OR  
  Netapp H410c Firmware cpe:2.3:o:netapp:h410c_firmware:-
OR  
  Running on/with
  Netapp H410c cpe:2.3:h:netapp:h410c:-

Configuration #3

AND
    CPE23 From Up To
OR  
  Netapp H300s Firmware cpe:2.3:o:netapp:h300s_firmware:-
OR  
  Running on/with
  Netapp H300s cpe:2.3:h:netapp:h300s:-

Configuration #4

AND
    CPE23 From Up To
OR  
  Netapp H500s Firmware cpe:2.3:o:netapp:h500s_firmware:-
OR  
  Running on/with
  Netapp H500s cpe:2.3:h:netapp:h500s:-

Configuration #5

AND
    CPE23 From Up To
OR  
  Netapp H700s Firmware cpe:2.3:o:netapp:h700s_firmware:-
OR  
  Running on/with
  Netapp H700s cpe:2.3:h:netapp:h700s:-

Configuration #6

AND
    CPE23 From Up To
OR  
  Netapp H300e Firmware cpe:2.3:o:netapp:h300e_firmware:-
OR  
  Running on/with
  Netapp H300e cpe:2.3:h:netapp:h300e:-

Configuration #7

AND
    CPE23 From Up To
OR  
  Netapp H500e Firmware cpe:2.3:o:netapp:h500e_firmware:-
OR  
  Running on/with
  Netapp H500e cpe:2.3:h:netapp:h500e:-

Configuration #8

AND
    CPE23 From Up To
OR  
  Netapp H700e Firmware cpe:2.3:o:netapp:h700e_firmware:-
OR  
  Running on/with
  Netapp H700e cpe:2.3:h:netapp:h700e:-

Configuration #9

AND
    CPE23 From Up To
OR  
  Netapp H410s Firmware cpe:2.3:o:netapp:h410s_firmware:-
OR  
  Running on/with
  Netapp H410s cpe:2.3:h:netapp:h410s:-