CVE-2016-4482

MEDIUM

Canonical Ubuntu Linux < 4.6 - Information Disclosure

Title source: rule

Description

The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call.

References (28)

[Vendor Advisory] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=681fef8380eb818c0b845fca5d2ab1dcbab114ee

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00056.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/90029

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3016-1

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3016-2

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3016-3

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3016-4

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3017-1

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3017-2

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3017-3

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3018-1

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3018-2

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3019-1

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3020-1

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3021-1

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3021-2

... and 8 more

Scores

CVSS v3 6.2

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (21)

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

linux/linux_kernel < 4.6

novell/suse_linux_enterprise_software_development_kit

novell/suse_linux_enterprise_software_development_kit

novell/suse_linux_enterprise_software_development_kit

novell/suse_linux_enterprise_debuginfo

novell/suse_linux_enterprise_desktop

novell/suse_linux_enterprise_desktop

novell/suse_linux_enterprise_live_patching

novell/suse_linux_enterprise_module_for_public_cloud

novell/suse_linux_enterprise_real_time_extension

novell/suse_linux_enterprise_server

... and 6 more

Timeline

Published May 23, 2016

Tracked Since Feb 18, 2026