CVE-2022-0286: Null Pointer Dereference
First published: Tue Jul 06 2021(Updated: )
A flaw was found in the Linux kernel. A null dereference in bond_ipsec_add_sa() may lead to a local denial of service. Upstream commit: <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=105cd17a866017b45f3c45901b394c711c97bf40">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=105cd17a866017b45f3c45901b394c711c97bf40</a> References: <a href="https://syzkaller.appspot.com/bug?id=160f641886d88bf11cbf1236cc4db994bb210626">https://syzkaller.appspot.com/bug?id=160f641886d88bf11cbf1236cc4db994bb210626</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | ||
| Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
| Oracle Communications Cloud Native Core Network Exposure Function | =22.1.1 | |
| Oracle Communications Cloud Native Core Policy | =22.2.0 | |
| redhat/kernel-rt | <0:4.18.0-372.9.1.rt7.166.el8 | 0:4.18.0-372.9.1.rt7.166.el8 |
| redhat/kernel | <0:4.18.0-372.9.1.el8 | 0:4.18.0-372.9.1.el8 |
Remedy
To mitigate this issue, prevent the module bonding from being loaded. Please see https://access.redhat.com/solutions/41278 for information on how to blacklist a kernel module to prevent it from loading automatically.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=105cd17a866017b45f3c45901b394c711c97bf40
- https://syzkaller.appspot.com/bug?id=160f641886d88bf11cbf1236cc4db994bb210626
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2048733
- https://access.redhat.com/errata/RHSA-2022:1975
- https://access.redhat.com/errata/RHSA-2022:1988
- https://access.redhat.com/security/cve/cve-2022-0286
- https://bugzilla.redhat.com/show_bug.cgi?id=2037019
- https://www.cve.org/CVERecord?id=CVE-2022-0286 https://nvd.nist.gov/vuln/detail/CVE-2022-0286 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=105cd17a866017b45f3c45901b394c711c97bf40
Frequently Asked Questions
What is CVE-2022-0286?
CVE-2022-0286 is a vulnerability in the Linux kernel that may lead to a denial of service attack due to a null pointer dereference in bond_ipsec_add_sa().
How does CVE-2022-0286 impact the system?
CVE-2022-0286 allows a local user to crash the system, resulting in a denial of service.
What is the severity of CVE-2022-0286?
The severity of CVE-2022-0286 is medium, with a severity value of 5.1.
Which software is affected by CVE-2022-0286?
Linux kernel versions up to and excluding 5.14, kernel-rt version 0:4.18.0-372.9.1.rt7.166.el8, and kernel version 0:4.18.0-372.9.1.el8 are affected by CVE-2022-0286.
How can I fix CVE-2022-0286?
To fix CVE-2022-0286, update to Linux kernel version 5.14 or later, kernel-rt version 0:4.18.0-372.9.1.rt7.166.el8 or later, or kernel version 0:4.18.0-372.9.1.el8 or later.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/author
- agent/weakness
- agent/references
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-0286
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/trending
- package-manager/redhat
- vendor/linux
- canonical/linux linux kernel
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/22.1.3
- canonical/oracle communications cloud native core network exposure function
- version/oracle communications cloud native core network exposure function/22.1.1
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/22.2.0