CVE-2022-23523

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-23523

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23523.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-23523

Aliases

GHSA-52h2-m2cf-9jh6

Published

2022-12-13T08:15:10Z

Modified

2024-05-14T11:35:16.022132Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In versions prior to 0.8.1, the linux-loader crate uses the offsets and sizes provided in the ELF headers to determine the offsets to read from. If those offsets point beyond the end of the file this could lead to Virtual Machine Monitors using the linux-loader crate entering an infinite loop if the ELF header of the kernel they are loading was modified in a malicious manner. This issue has been addressed in 0.8.1. The issue can be mitigated by ensuring that only trusted kernel images are loaded or by verifying that the headers do not point beyond the end of the file.

References

Affected packages

Git / github.com/rust-vmm/linux-loader

Affected ranges

Type: GIT
Repo: https://github.com/rust-vmm/linux-loader
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e1dccddca2f269f880c877e584d36ad7c5c0b4df

Affected versions

v0.*

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0