The CVE Dashboard

CVE-2022-46396

This Mali GPU Kernel Driver CVE can allow a non-privileged user to make improper GPU memory processing operations in order to access a limited amount outside of buffer bounds.” Detail 1, Detail 2.

CVE-2023-2868

This remote-command-injection vulnerability exists in the Barracuda Email Security Gateway and results in unauthorized access to a subset of email gateway appliances. It affects a module used to initially screen attachments for incoming emails.” Detail 1, Detail 2.

CVE-2023-32233

This new Linux NetFilter kernel flaw allows unprivileged local users to escalate their privileges to root level through a use-after-free in Netfilter nf_tables when processing batch requests, and can result in complete control over a system. ” Detail 1, Detail 2.

CVE-2022-36227

In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: “In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.” Detail 1, Detail 2, Detail 3.

CVE-2022-42703

mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. Detail 1, Detail 2

CVE-2022-39377

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1. Detail 1, Detail 2.

CVE-2022-3970

A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability. Detail 1, Detail 2.

CVE-2022-37454

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. Detail 1, Detail 2, Detail 3.

CVE-2022-3910

Published by Redhat, an improper Update of Reference Count in io_uring leads to this use-after-free vulnerability in Linux Kernel and allows for local privilege escalation. Detail 1.

CVE-2022-3786, CVE-2022-3602

OpenSSL 3.0.7 update to fix two high-severity punycode decoder buffer overrun vulnerabilities, triggered in X.509 certificate verification. Does not affect versions before 3.0. Detail 1. Detail 2.

CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722

Multiple vulnerabilities in the Linux kernel WiFi stack that can be exploited over the air via malicious packets. Impact ranging from denial of service to possible remote code execution. Detail 1. Detail 2. Detail 3.

CVE-2022-2588

DirtyCred is an 8-year-old Linux kernel vulnerability that swaps unprivileged kernel credentials with privileged ones to escalate privileges to the maximum level. It exploits a previously unknown flaw (CVE-2022-2588) and is in early notification, not yet reported in the NVD. Details

CVE-2022-37434

NVD reported that zlib (1.2.12), a software library used for data compression, has a heap-based buffer over-read, or a buffer overflow, in inflate.c through a large gzip header extra field. However, only applications that call “inflateGetHeader” are affected. Some common applications bundle the affected zlib source code but may be unable to call “inflateGetHeader.” Details

CVE-2022-32292

According to NVC, remote attackers that can send HTTP requests to the gweb component in ConnMan (1.41) are able to exploit a heap-based buffer overflow in “received_data” to execute code. Details

CVE-2022-34918

RandoriSec found a heap buffer overflow vulnerability within the Netfilter subsystem of the Linux kernel that could be exploited to get a privilege escalation. This vulnerability has been reported to the Linux security team and assigned CVE-2022-34918. Details

CVE-2022-29900, CVE-2022-29901 , CVE-2022-23816  and CVE-2022-23825 

Retbleed has been designated CVE-2022-29900 for AMD, and CVE-2022-29901 and CVE-2022-28693 for Intel. AMD is also using CVE-2022-23816 and CVE-2022-23825 to track Retbleed, which it calls a branch type confusion. In this case, rogue software on a machine can exploit Retbleed to access operating system kernel data and expose secrets, such as passwords and keys, within the memory. Older AMD and Intel chips are vulnerable to this Spectre-based speculative-execution attack. Details

CVE-2022-2274

The latest version of OpenSSL version 3.0.4 contains a memory corruption vulnerability that puts x64 systems with Intel’s Advanced Vector Extensions 512 (AVX512) at risk of heap memory corruption with RSA private key operations. Details 1, Details 2

CVE-2022-2068 and CVE-2022-1292 

The c_rehash script included with OpenSSL does not properly sanitize shell metacharacters to prevent command injection. Details 1, Details 2

CVE-2022-24436 and CVE-2022-23823

Hertzbleed is a frequency side-channel attack that exploits the dynamic frequency scaling of modern x86 processors depending on the data being processed. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers. This issue affects AMD (CVE-2022-23823) and Intel (CVE-2022-24436) processors. Details

CVE-2022-30790 and CVE-2022-30552

Multiple buffer overflow related vulnerabilities in the u-boot networking stack (IP packet de-fragmentation) that can result in denial of service and overwrite attacks. Details

CVE-2022-30295

A vulnerability in the domain name system (DNS) component of uClibc can result in DNS poisoning attack risk. Details

CVE-2022-29799 & CVE-2022-29800

“Nimbuspwn” flaws can be chained together to gain root privileges on Linux systems via arbitrary root code execution. Detail 1,Detail 2

CVE-2022-28391

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record’s value to a VT compatible terminal. Severity score 9.8.

CVE-2022-27666

CVE-2021-42311 AND CVE-2021-42313

Critical hijacking bugs that can lead to full network compromise in Azure Defender for IoT; severity score of 10. Details.

CVE-2022-1015 AND CVE-2022-1016

Bugs causing privilege escalation and information leak in Linux kernel. Details.

CVE-2022-0778

Infinite loop bug enables a pre-authentication DOS attack on OpenSSL. Details.

CVE-2022-23960

Arm Spectre Variant Cache Leak. Details.

CVE-2022-0492

Escalated privileges in Linux kernel cgroups. Details

CVE-2022-25636

Privileges from heap OOB writes in Linux kernel netfilter. Details

CVE-2022-0847

“Dirty Pipe” vulnerability in the Linux kernel. Details