CVE-2014-2568: Use After Free
First published: Tue Mar 18 2014(Updated: )
An information leak flaw was found in the way skb_zerocopy() copied skbs that are backed by userspace buffers (for example vhost-net and recent xen netback). Once the source skb is consumed, ubuf destructor is called and potentially releases the corresponding userspace buffers, which can then for example be repurposed, while the destination skb is still pointing to the them. Upstream patch: <a href="https://lkml.org/lkml/2014/3/20/421">https://lkml.org/lkml/2014/3/20/421</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <0:3.10.0-123.4.2.el7 | 0:3.10.0-123.4.2.el7 |
| Linux Kernel | >=3.0<=3.13.6 | |
| Ubuntu | =14.04 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.135-1 6.12.25-1 6.12.27-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2014-2568 https://nvd.nist.gov/vuln/detail/CVE-2014-2568
- https://bugzilla.redhat.com/show_bug.cgi?id=1079012
- https://access.redhat.com/errata/RHSA-2014:0786
- https://access.redhat.com/security/cve/CVE-2014-2568
- http://seclists.org/oss-sec/2014/q1/627
- http://secunia.com/advisories/59599
- http://www.openwall.com/lists/oss-security/2014/03/20/16
- http://www.securityfocus.com/bid/66348
- http://www.ubuntu.com/usn/USN-2240-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91922
- https://lkml.org/lkml/2014/3/20/421
- https://launchpad.net/bugs/cve/CVE-2014-2568
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1079013
- http://seclists.org/oss-sec/2014/q1/630
- https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=36d5fe6a000790f56039afe26834265db0a3ad4c
- https://rhn.redhat.com/errata/RHSA-2014-0786.html
- https://security-tracker.debian.org/tracker/CVE-2014-2568
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2568
- https://nvd.nist.gov/vuln/detail/CVE-2014-2568
- https://ubuntu.com/security/CVE-2014-2568
Frequently Asked Questions
What is the severity of CVE-2014-2568?
CVE-2014-2568 is classified as a medium severity vulnerability due to its potential for information leakage in user-space memory.
How do I fix CVE-2014-2568?
To fix CVE-2014-2568, you should upgrade to kernel version 0:3.10.0-123.4.2.el7 or later for Red Hat systems.
What versions of the Linux kernel are affected by CVE-2014-2568?
CVE-2014-2568 affects Linux kernel versions from 3.0 to 3.13.6 inclusive.
Which Linux distributions are impacted by CVE-2014-2568?
CVE-2014-2568 affects Red Hat, Ubuntu 14.04, and Debian-based systems with specific kernel versions.
Is CVE-2014-2568 related to userspace buffer handling?
Yes, CVE-2014-2568 involves an information leak due to the handling of userspace buffers in skb_zerocopy().
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-2568
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/trending
- agent/source
- agent/author
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/3.0
- version/linux kernel/3.13.6
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04
- package-manager/debian