CVE-2022-2308
MEDIUMLinux Kernel - Use of Uninitialized Variable in vDPA VDUSE Config Space Handling
Title source: llmDescription
A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.
References (1)
Core 1
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2103900
Scores
CVSS v3
6.5
EPSS
0.0022
EPSS Percentile
12.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Details
CWE
CWE-457
CWE-908
Status
published
Products (1)
linux/linux_kernel
Published
Sep 01, 2022
Tracked Since
Feb 18, 2026