Week of December 4, 2022
Published by Redhat, an improper Update of Reference Count in io_uring leads to this use-after-free vulnerability in Linux Kernel and allows for local privilege escalation. Detail 1.
Week of October 31, 2022
Week of October 17, 2022
Week of August 29, 2022
DirtyCred is an 8-year-old Linux kernel vulnerability that swaps unprivileged kernel credentials with privileged ones to escalate privileges to the maximum level. It exploits a previously unknown flaw (CVE-2022-2588) and is in early notification, not yet reported in the NVD. Details
Week of August 15, 2022
NVD reported that zlib (1.2.12), a software library used for data compression, has a heap-based buffer over-read, or a buffer overflow, in inflate.c through a large gzip header extra field. However, only applications that call “inflateGetHeader” are affected. Some common applications bundle the affected zlib source code but may be unable to call “inflateGetHeader.” Details
Week of August 8, 2022
According to NVC, remote attackers that can send HTTP requests to the gweb component in ConnMan (1.41) are able to exploit a heap-based buffer overflow in “received_data” to execute code. Details
Week of July 25, 2022
RandoriSec found a heap buffer overflow vulnerability within the Netfilter subsystem of the Linux kernel that could be exploited to get a privilege escalation. This vulnerability has been reported to the Linux security team and assigned CVE-2022-34918. Details
Week of July 18, 2022
Retbleed has been designated CVE-2022-29900 for AMD, and CVE-2022-29901 and CVE-2022-28693 for Intel. AMD is also using CVE-2022-23816 and CVE-2022-23825 to track Retbleed, which it calls a branch type confusion. In this case, rogue software on a machine can exploit Retbleed to access operating system kernel data and expose secrets, such as passwords and keys, within the memory. Older AMD and Intel chips are vulnerable to this Spectre-based speculative-execution attack. Details
Week of July 11, 2022
Week of June 27, 2022
Week of June 13, 2022
Hertzbleed is a frequency side-channel attack that exploits the dynamic frequency scaling of modern x86 processors depending on the data being processed. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers. This issue affects AMD (CVE-2022-23823) and Intel (CVE-2022-24436) processors. Details
Week of May 30, 2022
Multiple buffer overflow related vulnerabilities in the u-boot networking stack (IP packet de-fragmentation) that can result in denial of service and overwrite attacks. Details
Week of May 16, 2022
A vulnerability in the domain name system (DNS) component of uClibc can result in DNS poisoning attack risk. Details
Week of May 2, 2022
Week of April 25, 2022
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record’s value to a VT compatible terminal. Severity score 9.8.
Week of April 11, 2022
Week of March 28 2022
Critical hijacking bugs that can lead to full network compromise in Azure Defender for IoT; severity score of 10. Details.
Bugs causing privilege escalation and information leak in Linux kernel. Details.
Week of March 21 2022
Infinite loop bug enables a pre-authentication DOS attack on OpenSSL. Details.
Week of March 14 2022
Arm Spectre Variant Cache Leak. Details.
Escalated privileges in Linux kernel cgroups. Details
Privileges from heap OOB writes in Linux kernel netfilter. Details
“Dirty Pipe” vulnerability in the Linux kernel. Details
ARE YOUR DEVICES AT RISK?
It’s More Likely Than You Think
Try using Vigiles to see if your product is secure in as little as 15 minutes.