First published: Wed Aug 31 2022(Updated: )
A flaw in the Linux Kernel dvb-core sub system (DVB API used by Digital TV devices) found. The result of race condition inside drivers/media/dvb-core/dmxdev.c is use after free. For triggering attack the local user have to physically remove USB device (like DVB demultiplexer device), and both run some malicious code. Reference: <a href="https://www.openwall.com/lists/oss-security/2022/09/23/4">https://www.openwall.com/lists/oss-security/2022/09/23/4</a>
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/kernel-rt | <0:4.18.0-477.10.1.rt7.274.el8_8 | 0:4.18.0-477.10.1.rt7.274.el8_8 |
redhat/kernel | <0:4.18.0-477.10.1.el8_8 | 0:4.18.0-477.10.1.el8_8 |
Linux Kernel | <=5.19.10 | |
Debian Linux | =11.0 | |
debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.128-1 6.12.21-1 |
To mitigate this issue, prevent the module dvb-core from being loaded. Please see https://access.redhat.com/solutions/41278 for information on how to blacklist a kernel module to prevent it from loading automatically.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-41218 has a severity rating of high due to the potential for a local user to exploit a race condition leading to a use after free vulnerability.
To fix CVE-2022-41218, update your Linux kernel to version 5.10.223-1, 5.10.226-1, 6.1.119-1, 6.1.123-1, 6.12.11-1, or 6.12.12-1 or equivalent Red Hat packages.
CVE-2022-41218 affects users of the Linux Kernel, particularly those utilizing the DVB API in Digital TV devices.
The CVE-2022-41218 vulnerability is caused by a race condition inside the dvb-core subsystem leading to a use after free condition when a USB device is physically removed.
CVE-2022-41218 cannot be exploited remotely as it requires local access to the system to trigger the vulnerability.