| Description: | Summary:
The remote host is missing an update for the Debian 'linux-5.10' package(s) announced via the DLA-3244-1 advisory.
Vulnerability Insight:
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
CVE-2021-3759
It was discovered that the memory cgroup controller did not account for kernel memory allocated for IPC objects. A local user could use this for denial of service (memory exhaustion).
CVE-2022-3169
It was discovered that the NVMe host driver did not prevent a concurrent reset and subsystem reset. A local user with access to an NVMe device could use this to cause a denial of service (device disconnect or crash).
CVE-2022-3435
Gwangun Jung reported a flaw in the IPv4 forwarding subsystem which would lead to an out-of-bounds read. A local user with CAP_NET_ADMIN capability in any user namespace could possibly exploit this to cause a denial of service (crash).
CVE-2022-3521
The syzbot tool found a race condition in the KCM subsystem which could lead to a crash.
This subsystem is not enabled in Debian's official kernel configurations.
CVE-2022-3524
The syzbot tool found a race condition in the IPv6 stack which could lead to a memory leak. A local user could exploit this to cause a denial of service (memory exhaustion).
CVE-2022-3564
A flaw was discovered in the Bluetooth L2CAP subsystem which would lead to a use-after-free. This might be exploitable to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2022-3565
A flaw was discovered in the mISDN driver which would lead to a use-after-free. This might be exploitable to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2022-3594
Andrew Gaul reported that the r8152 Ethernet driver would log excessive numbers of messages in response to network errors. A remote attacker could possibly exploit this to cause a denial of service (resource exhaustion).
CVE-2022-3628
Dokyung Song, Jisoo Jang, and Minsuk Kang reported a potential heap-based buffer overflow in the brcmfmac Wi-Fi driver. A user able to connect a malicious USB device could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2022-3640
A flaw was discovered in the Bluetooth L2CAP subsystem which would lead to a use-after-free. This might be exploitable to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2022-3643 (XSA-423) A flaw was discovered in the Xen network backend driver that would result in it generating malformed packet buffers. If these packets were forwarded to certain other network devices, a Xen guest could exploit this to cause a denial of service (crash or device reset).
CVE-2022-4139
A flaw was discovered in the i915 graphics driver. On gen12 Xe GPUs it failed to flush TLBs when necessary, resulting in GPU programs retaining access to freed memory. A local user with access to the ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'linux-5.10' package(s) on Debian 10.
Solution:
Please install the updated package(s).
CVSS Score:
8.3
CVSS Vector:
AV:A/AC:L/Au:N/C:C/I:C/A:C
|
