中危 CVE-2022-48864

CVE编号

CVE-2022-48864

利用情况

暂无

补丁情况

官方补丁

披露时间

2024-07-16
漏洞描述
In the Linux kernel, the following vulnerability has been resolved:

vdpa/mlx5: add validation for VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command

When control vq receives a VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command
request from the driver, presently there is no validation against the
number of queue pairs to configure, or even if multiqueue had been
negotiated or not is unverified. This may lead to kernel panic due to
uninitialized resource for the queues were there any bogus request
sent down by untrusted driver. Tie up the loose ends there.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://access.redhat.com/security/cve/CVE-2022-48864
https://git.kernel.org/stable/c/9f6effca75626c7a7c7620dabcb1a254ca530230
https://git.kernel.org/stable/c/e7e118416465f2ba8b55007e5b789823e101421e
https://git.kernel.org/stable/c/ed0f849fc3a63ed2ddf5e72cdb1de3bdbbb0f8eb
https://lore.kernel.org/linux-cve-announce/2024071629-CVE-2022-48864-2b26@gregkh/T
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
系统 debian_11 linux * Up to
(excluding)
5.10.221-1
运行在以下环境
系统 debian_12 linux * Up to
(excluding)
5.16.18-1
运行在以下环境
系统 linux linux_kernel * From
(including)
5.15 		Up to
(excluding)
5.15.29
运行在以下环境
系统 linux linux_kernel * From
(including)
5.16 		Up to
(excluding)
5.16.15
阿里云评分
5.0
  • 攻击路径
    本地
  • 攻击复杂度
    困难
  • 权限要求
    管控权限
  • 影响范围
    有限影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-908 对未经初始化资源的使用
阿里云安全产品覆盖情况