CVE-2022-35867

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-35867

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35867.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-35867

Published

2022-08-03T16:15:08.827Z

Modified

2026-03-14T11:48:39.473988Z

Severity

6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the e1000 virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-15056.

References

https://www.zerodayinitiative.com/advisories/ZDI-22-949/

Affected packages

Git / github.com/machyve/xhyve

Affected ranges

Type

GIT

Repo

https://github.com/machyve/xhyve

Events

Introduced

Last affected

cd782515fff03bd4b80da60e29108f6b33476bf5

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.2.0"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.2.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35867.json"