Moby HyperKit uninitialized memory use vtrnd pci_vtrnd_notify
CVE-2021-32845

7.7HIGH

Key Information:

Vendor: Moby
Status: Hyperkit
Vendor: CVE Published:; 17 February 2023

What is CVE-2021-32845?

In HyperKit versions 0.20210107 and earlier, a vulnerability exists related to the qnotify function in pci_vtrnd_notify. The failure to verify the return value of vq_getchain leads to an uninitialized struct iovec iov, which can be exploited by an attacker to read sensitive memory when a failure occurs in vq_getchain. This flaw may result in denial of service by crashing the host and could also potentially cause memory corruption, affecting the stability and security of the system.

Affected Version(s)

hyperkit 0.20210107

References

https://securitylab.github.com/advisories/GHSL-2021-054_0...

https://github.com/moby/hyperkit/pull/313

https://github.com/moby/hyperkit/commit/41272a980197917df...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2023
Vulnerability Reserved
May 12, 2021